23542300x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:40.647{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB41E9A1B6C4E178974DB12C1D77D0,SHA256=3EAFC8C465A66761323C7D9085B4F732A01DA0C9816EEC7FB934597465981330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:40.491{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4E027F34998AA497BFE8ED3679A48,SHA256=D95957F87D1ECCB14756068B3795E5B56367C4BF9D682E81387E946776F05323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:41.746{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4737753AAD5E133D65A30DE1D035E534,SHA256=B989F13004A5E4D60602B6B472C642D7A9361EE7246BA8602D0BDBA9D68C6DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:41.509{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5465C802CE6ADBFA219BC603AFAFA258,SHA256=227D2A7B494F16C37E0F2328209F9B93FFA95708B55D3BF9BB2971B7BEA83BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:42.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B391DFD51574A0DEF6301C27A98DA19B,SHA256=9A4DD583B83B6E70A37FC5500BF6C90D8DB6FA1819C0907E1D225970C4C67F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:42.629{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AE2BD63BFDA1042741CBCDE98CF74E,SHA256=0A233833DDDA6ACBED6B846C09FFA41794FEC821F4A553C6585DDF4E9DA200A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:41.388{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:43.683{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCFABE5D62AB807EBDCF8FB61CEAF2C,SHA256=27CD2600696913C3FF7A0780A6A11EAAF32FD1E2981EBA52B6A219C291476DB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:39.306{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1E519F8EF94633240C4D07699DC8AF,SHA256=EA0A17AA91DD70B4442380D1C62199BD039904D1A55C27EB066199654BA6A3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:43.998{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BCA390E41FFCDF09219E48AA5AEE45,SHA256=AAF7B1D8E495DF3FC23AB26DBE554D8640C96D1F78508AE26F70D0412FD9753D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6AE70C80B9414F64D22B74C37FB1A753,SHA256=00557A99757EE7B6376A4FC014EA8888F03E080118A6707F5040AA8D6CCFEA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:45.736{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F5F1827D46769230773F5E3C68022,SHA256=5526CAA9C34D169C4C13698465579290BDEA2320CCC20A32BE52DDC0AE35E9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:45.028{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E14744F267FB936D986568C7E1ED53,SHA256=68F71D7FC5953BDC92C84134A8A0FD714ADCCBA470EC1902B5DF60D5EBB95007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91224D893F495E29BA2A4B80906DB0E,SHA256=554476B37608610D39A2FC28884EE10A7F68872A0A51958686FCEE727F390DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:46.060{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8CF42CBC87AD9CF2662AE7F58E0FC6,SHA256=D8CEDC31175663785BA8E2BB98137148BEF8954D1B5E3A34CE70C64FE245E855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.538{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.537{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.537{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000026871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:47.833{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE4D69F413E93C50C9BBF6D74C60B58,SHA256=46EA7224C8D11A129DA879939A62AFEDBD8B14266982A5A07F435C2B048CF846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:47.159{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE0D4914AC520E58AED607F4C91608F,SHA256=189EF8CC9B5C478C7B3CFB093E21317FD862F41A70A09C95A5540800CFD2ADEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:47.108{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D8DC2E91218AF8D46C18F020366776B9,SHA256=1F252E206511DE829D540CEA94FC72548760D9E85A38378B53C20C7208525514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:48.853{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7373648FBF26A57709D7964195536AAC,SHA256=72E5806AB2028A84CFB8B805260425BF16B80D59774E7BD828E4AE1F8EBC2488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:48.192{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F403EFCF291232AFA809CB85DCE57D,SHA256=1B29FCF8177444A217E1721944305A9EEB979DB1FC248B6A9A033EFBA0D98787,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:45.367{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:49.879{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3FD086B2AD23B987CBB1AA7FBBEF3F,SHA256=8AF677A37CA79AB270D04836B9459E86D2EF2522AB5E13874FBB2E4194DD0EE6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-DeleteValue2023-04-21 11:51:49.595{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:49.295{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B75DABDA86F572C013787BC07F9269,SHA256=383BDA4CE76C755705C489A2BC4D7782D37D95890998C65B0CE6CB4EC61EAFFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:46.485{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:50.909{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0240943584EF7E156A74F88B8B0C0A,SHA256=F4DDBAA9C9C015FE88BA4C2D8FB1728B11BD974FBA92D9930CD9A5326A6C76DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:50.675{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=355528BE2E31D14F5F4E1B79CF901D9C,SHA256=C4FEB7DA5E1265C76C3896B971F83E9351F0FCB4BD36BAE7414DC46A973165A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:50.426{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86181461F10CD6A54D7419B6C800E30,SHA256=ECBA637EC6C8D2B8AB05877C7B3909749CB7F07C509866401877D02F6A7FF0CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000026879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000026878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000026877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d97447-0xa87a5b02) 13241300x800000000000000026876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000026875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000026882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:51.942{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B61A15DDAD24D71A266DEE4BF7B6A8,SHA256=EE0F78004483C748ABEE883CFD2A8A186DE3ADA5A42C411E4F95985295E0A486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:51.474{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192D454C05E8FDE9B03ABA0FFC2E24F2,SHA256=69373227F37FB3DFA0AE623376A69633F2CE998D0AACFBF9D2AA62FB275CFA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:52.589{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846EEB9CBD3B69761C3FB2F8CE9B24BF,SHA256=7A3AD96BF10D22D3150EC2A4AEA69BA599EA453065A6CD6818D5F5FD24773A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:52.962{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEE8C4FAEAD4D7D01F95FA45AAC85D0,SHA256=A7303D126A0478C99B540FDF5EDBBB6AE730CE3FCD8604EADF78D91E50BF2FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:53.623{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE6CFB22717E452685EB4608E045B76,SHA256=B37FCD6E113234CC5AC94E898D273371D4451D43FFBCB68167B1049657CD5096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:53.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D1D0ABAB3B12863FAD215E30D858A0,SHA256=D4E693FAC6F0812F2DCA4B1FF492DB2655E417B3FD2EE3136C9C1638902A75DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:54.654{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB03C2FB5EADFEE80B8137D73A939D18,SHA256=66677E565872D64488A8710AD8CFF5DDA128C8DF3BDB36FDE2A292489782592C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:51.388{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:55.772{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C351BAAF5718DFDBD3A6D954849BDF,SHA256=E8E3489C37383BA4A74D3EDEC3A88B4BF45E2E36968C206511A8821766F0385B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:52.443{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:55.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB4B1FAEAEB79AC2E1F99A9550BAAC,SHA256=7F52F5A8245F96448A3F1BFD41AB3406B4177B3225A2132EBBC657941CF33180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.790{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53E7E3867E85401120FB43A1868E774,SHA256=A72D87A547DCAB4C0D1EEDD03D165F5A7EC49C9C7DEF1E455E982ED2C517F659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.471{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.471{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.469{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.469{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.037{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EB3F1864AC2F389BF3C1D6E9AF6BD0,SHA256=04A7B84E53228D17E3351549C84CB629AF8564F4047FD15C1FC23779E4FC80EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.922{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE14E2F3F72B49446FC2D6169A58030,SHA256=7F7E87153CC7F1222AC81590448C6F7B4ED8B28381F75D44BD77FEAE91190E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.922{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=74AD64A7380FE985F1914CB1B0842852,SHA256=747B58EFADC7F2CBAC67D3774901B442092379F05B2CF5A1C474FEC864D1E54B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:57.059{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F318335D05321B17214E5BF352E617,SHA256=EF9D2ECA44B5DC382B14900060F4D36FF1FBC7C6EB8715C51A51DD80188B474A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.538{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CDF4E4FBC543CDEFF774EF286436CA0,SHA256=FC10ADF69808B182A65B736C1A99652A4B2BD78AE52D6E6E623A22C05C4FEBA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.372{223CB5FF-78DD-6442-E502-00000000DD02}24366652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.206{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.952{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FCFB530057EB37D8A35CF4C031BB74,SHA256=5F9BE20F4E7E1496F2D517F5275B9288B936ED0753AA1620791DE7E405357847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.852{223CB5FF-78DE-6442-E702-00000000DD02}44126804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.690{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.687{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:58.079{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B275232F5B5B14134B9688938C4874A,SHA256=3DB4F693930DBEB678A0EF5F7FC6D0F7A4401F024683F6459748D51F130B8087,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d97447-0xae4c7d74) 13241300x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000026891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:59.364{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA6CDA95F57C27579D14BE07689904A,SHA256=796AEEF8D806CDA430FEE3D7A0E017D487FAF406C70AB2A0FA14EAA20E8257A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:59.105{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31A6D066AF25AAF5F022E674B342EE,SHA256=1E9BCC8D89D38135B8451E452045E7C4CF20F3757988F2289CF6CEC8CB28AF62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.572{223CB5FF-78DF-6442-E802-00000000DD02}64803208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.354{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.926{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.007{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F145FA599B0475B65C3ABDE6343F0A,SHA256=D14D821115678C702855B4BFDEFEC3D833A1319015060C197D8EECD08EA5588E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:57.205{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000026894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.445{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000026893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.445{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000026892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:00.139{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE5E121D4D83B37E6E70D1B96A0DEB2,SHA256=44510CC286DD3692F84EF914672ED5ECB7D23E153D04A91836D26034DC4BCD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.493{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.456{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.109{223CB5FF-78E0-6442-E902-00000000DD02}52366800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.056{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A5AD3662BF24B9BEE6C7BF39FAB46B,SHA256=DD357B6B1C71CFAFEDB72F26402A5E949B9AF90782D299FDF841F65B18C3AC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:01.172{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C13F85893C0D3A65E5DC95EC0477DFB,SHA256=D62649F3273A1A247909610B2D82664C57F0DA4B59D3C71D561ACE052103A08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:02.178{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BFAF0FCF07B99C844487C02DDFEA10,SHA256=F5F70E91F763E4888AB1C746CB75BEEF2F35D80CB438D65D6B184F9BE94EB0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:02.192{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE03BE402C81AB06ECD0370B46D82AD,SHA256=11FDC6232B83BF8B802CE3B56BF9CA83272E5816B63532B61CAF60FF116EB63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:03.214{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D622CC60F3393CA10EC501F839ECE5,SHA256=A60F2D52AD8502A501DD0438A6AB7EE9000F76DE4DC91B0DDC38901F94AF17BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:03.219{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE6ED0CD3FDE8350CF966E1BC6256B,SHA256=7E43ACB3EDE6DB64358B3C8EB36FE6BD0341A40D1245521D0A3AFAF24B87DC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:04.233{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA666BABCD5D5C7C9C423B7DEE9F0FC,SHA256=F7C4F2F159ADF7B740C6C40710876D6F342732FD220F97406FBD7729683BF172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:04.297{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF7E9F02837EBFB137E77AF88C70337,SHA256=6F84F562ACCC3A6C89F692A76268D7EE249A5952D616F6FDF090FFDDC98DD250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:05.366{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFE82688293EF0E3BE27167881E1901,SHA256=1D0CDD7B275F8CA1032E492E16A7FF37844562F3E26F24875F1BEB77599EAFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:05.323{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BBA5F5E1F4494ED5A19BC3C3FD6C27,SHA256=07F11D8DD827BAC0F9EBDBD62D5435A665FFFD0F9D3022B2DE0AF6328F8650C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:06.437{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A1985F4C70E99346B90BCBF09276E3,SHA256=388ECE5610A59774DFD1A71B9023EA264D76E70E6B30A41D17E08EB2025E1DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:02.289{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:06.385{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FBB364AB724267366331FD22C852F8,SHA256=2762FFE86E7BEF87D5CA44B59F040439A5B2D37DB3B6C13F951E45D03C6E023B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:07.856{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7A767B62E5ADBF5F352EE507A0EEAE2,SHA256=423435C8EB42779916C1F8D9C4E4BE86FD31BF02291F30AD978B7420CBDEB40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:07.556{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DAF329DBD11214F935F18EC54D7BB0,SHA256=E6D418CC629FD63668B514E3FAD32D67F381A3276D7BA0F5F639A9A1ED3D5B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:07.428{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518131E3754999032F16CE635078C6DE,SHA256=E194DDE77E95F2D420BBD955C82394CDD171571ECF11ED975DD3B43A12874327,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:04.338{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:08.591{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020890CE949CDA7CA27A52C43C59A720,SHA256=C145080795837BD0A3F6F851D4B6F3078103B236452DE53E69EC17B35509E68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:08.459{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACBD61EFBC13A1C57B5F1C53CFA45B2,SHA256=5C99BB135040572CE3325DE94223A537FEC9A7899385E40686B911BFA7A07608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:09.630{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C2D9919744DF9E5666DFFF3157B25,SHA256=1E6F46412FEDFFFCC25514D53B5A5916F55E76591468942C3D14E9972C6A6862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:09.509{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E875E4CE838D0C74E7E8C004A0DEC8E,SHA256=41C4953F247397B15D83CCF45386BBDDB41C41EB189AC04654C20BE9B5E78E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94CC1BC16359A66DE00070DAADF2CFB,SHA256=799F3AD6C3B46F525038C996853BDCDB2E58AF2D3FC189E08CF80096A63170FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:10.536{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF876A6AE7D31E743CE1091A0B98835,SHA256=A64CF9812370EBDE1FE78D3C3DA90289BE5507B7D11FDC0FE80BE901E79A1342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000026906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:10.165{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-055MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:11.681{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBC51B6973573008AAB48F5A24EE04C,SHA256=E5B1F8061E64ABA5911D0C5162AC8407E6D103C2236858D5D7F52D4A369E7DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:11.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FA3BC56AA1714A346FDA3EDBC895A4,SHA256=D2A928C23E17791BEB509EC391DAA482EB4D82C2896112D20D6F77DF3583D649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:11.166{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:12.702{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE28B809074D108BD02F16499BF77B1,SHA256=2E7B68207E983CC3992BFFD8A92D5D9B3FA6A9FA108E1B2A6D37B5E3ABAFA95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:12.668{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A57A5C6674EBE2354A1D52EC8AE053,SHA256=19D61F5274FF685977D34D9430B4A95031A216FAA8BACCF2AA84C5545D2FB047,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:09.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000026910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:08.304{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:13.702{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AE67ABEC06047BA2C3BEB7DB7F3BAF,SHA256=640FC81E138263645E4BA69033E6C0380E9A208F509ACCBF3D6E165ACC375405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:13.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08F031E025D5B1426E3CEF5E0DFFB16,SHA256=9AB131A1DC0F278F8A668872CC2715E6BF0F95A743BDDBCAA1C59A9C71A8227B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:14.722{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7F982E62408E85908928838E88BD77,SHA256=3B1FE490D1F57789B3C503B26246221638E1CC92A036A167340B3804F1AB6664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:14.773{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E982492C724C5D1EAFD9D412DCAFA75,SHA256=1045C722AAE04B1AD3A1D97067D92E8747345CDF47036679825F4C87D69AC05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.776{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E20EEB762B64E6526E2F562BA03BB48,SHA256=44A5652A83D445DF2FBF78A99AE34EFFA3011A7142B23CE40374592822840DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:15.827{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D711C7B2F3009DF4FB24942AB7F1487C,SHA256=E231629D85E835C6B991C2B6974E584172746997F9300907027B52F06039E827,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.176{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:16.848{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B152A67FFD7856590A7389A33C90F8,SHA256=66A079F423783A3EDC2660C19A6A71B6543CD8B0CC2D97E754F75AF88EE5D877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:16.910{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1397FC4CF0824E4F56EC1C24EC662,SHA256=C9DBA94DFC84D9D6689C874F2BBFF81B6AF3C138868AAB86FED7056F7C21EAD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:13.387{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:16.253{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67D637271CDEE22396653A3EC0396548,SHA256=29D7E17079F3059BDF96A2179C422ABB9E2FF462FF21995436446BD0FB0984D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:17.967{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C593491FC87EFF2DEAA3A24A7B7EA3F3,SHA256=C074C91D2F49CDC5E5914455C45DA4334AA286E6CF0513AFC6C887EBBA488C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.980{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376B81634A8657ABDC9E71882FCD077B,SHA256=4A501AC9D309967468CE4AD07DBA29AFDC94DFAB20DA9F6A88BB2DAB07AC6FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:14.513{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.536{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C54DC49D6C8C735587ECF9BE9B838760,SHA256=42328C180F36DB73C17A08CE3AA2DD9213AFB5754A1BD7DC48F83A45D161556B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.512{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.234{AF4EC832-78F1-6442-3C06-00000000DC02}50084360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.011{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.253{AF4EC832-78F2-6442-3E06-00000000DC02}68326524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.066{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.372{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-045MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.254{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.017{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF94C0A549BFE33C09E4F8EC27573218,SHA256=A0993C104FD6BC977A20AE2693486F7508980985AC142E6FBB73DE9C16A7576B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.837{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.833{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.833{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.336{AF4EC832-78F3-6442-3F06-00000000DC02}44326452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.157{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.099{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFB33DFE2834765FA40AA7BFC6598B0,SHA256=660DF734AC238780792A3099867509584F926BEBD1A73582CDF977C65BB5E3D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:18.542{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.374{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.138{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18944BBC65B50238E59E38D4DB660B4,SHA256=1B3309555CC887E8FA532C96620ACBD6A7E2216E423F29F6EE7B7469DE71E3E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.503{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.117{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BBA74A234021FB7D46FD04BD16CB60,SHA256=D747346678E6FCA85BAC24B10553D4AFE48E19FCB32894043706E7A95575C3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.042{AF4EC832-78F3-6442-4006-00000000DC02}70842360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:21.174{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F123227C688E3F78CC93EE604354F791,SHA256=D54313F18DEE6E1658045F070DFE53FA660AF3FA34D61BA383FAEF8401BE90C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.398{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:21.562{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA061D4592458C5E7FD68479F18B572,SHA256=EC2293039374519A8AB5916C24A8410E2F06CF003286E426BF42C54B3066D8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:21.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2048146407A2B14509FB459A831FE4E,SHA256=DE55BF764BA032B5C574BD92A2B0BB9A8069BE14DB6C06B9DE0257339BA93B05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.494{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:22.225{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71559AAFE58BB97B214E27691E4B7056,SHA256=2EA7FB64A5326953272BE185FEA3ED3C7370E5A229906782800EA585E68AF5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:22.191{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA33440BAFCFF3A73EFF39BC2307834,SHA256=E0D486C6E2063D953320AD6F0C8FB724D7B6B509229EC2AE8DD370E37A7FE935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:23.278{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DF537F1BF46B2180E3F500D0F01C5E,SHA256=B86F29B7A57D5D6EFCC3A6F83CF2A4403789AF0241A5C47A75852B689E75AE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:23.310{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193956052E4F2CA9C2D468967E24117,SHA256=A4A9FF5CDD683D116A3EDA9689D7009F322BAA2A0D266EE7C72C8FC00E57F2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:24.296{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53B26E393F252C0C91C3D88123648AD,SHA256=B9B6E822CCF293B1708C8920038E975F3D88F4CF16AFFF76C99E5642362FE385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:24.328{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF4CB9222ACD696927E85EF83C59A34,SHA256=444296ED3D160971ED2986C40A7ECC39C4D957AF423B4C27328FE078E7106859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:25.448{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B4CB5E3B3FBB421048FA24412DA8F,SHA256=46C6426F629F4BD68DAB179DE54DD68A84C983A88604598C9E46918DF6161A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:25.315{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB36D3C0C9C81F48A901F5CA2C2938,SHA256=6C578CEDA8E16B280A71B16259BD9E4EB8A906AE9C9CF7677DB7CB5188C00025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:26.502{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89023F20E2571CAF9A192FBD626E93C9,SHA256=1D28A6950D99CCDEF710B7A1A0ABCC456792F2EC7363CF6EC26F1D9F12875050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:26.335{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14196A9D8A1C4AC05D008C174A4921A4,SHA256=E05374E749EFCCE555815FDE0237EC9A7EE73917699994FB08BB19AC6669951B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:24.239{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:27.536{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C55C6B9E123F995DF192C176C89BD,SHA256=4246324BE6DF695B52B633F49664A179A8816803D15493B2B5E92470CAC6B5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:27.990{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8BF936ED99BD429DD2D4830579657A62,SHA256=F6434EEB91099E53B52832C28DA86B9BA16D2D1C09E2739F454E431F78931025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:27.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D74C580B7A9F9A09D6096DF453FEF74,SHA256=DFE23ECEC6516BCDAE34B734229D72CB40E0BDA4B8CFB6073A538ECAD0B37C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:27.304{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:28.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FBF7730EB4874045C19F8D9250D140,SHA256=055E331312B6E774CE4218BAE79838BBBB4D05C8ADF9F6211FE3B8466E3EBDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:25.414{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000026993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:28.557{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE861984BFBF28BA91ECF9675B64C43,SHA256=5C588421EDB054EF1622E2C821C5CA3B3EBAA3599FE22C5EED4295247D09099D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:26.493{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50407-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:29.409{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7C48B158A5F188F6532301C5CF2AE8,SHA256=5D4CC999ABBE28D7248BD30ACE5650FFC7712EAB0BFE7B0D9A3FBCFD36EA5C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:29.640{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551BC8AA5A1B94C85EE5E1523664E6F7,SHA256=A51F84FF7FB9284E9733FC591EF5A29C170E9F8D267095DB2A634EBAE0910E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:30.760{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACACF571F79C414950EE703957CDE17,SHA256=A9F5C6768AE463B5E9B64812B09983C13783D95F2208948F02E5864F4048D037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:30.445{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E03A1DC262F843CE9E442CA4136C6E,SHA256=F0CAA4FA88325F9F425DCC913D2B7ACC7D4653A37511765E7D47305C4EEA7786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:30.195{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=86471DEE75EAB1E83D0D00CC9E3620BD,SHA256=7C31CBF5891B30726731EA046B61EDDD1A4F006130F39E59B31F7CE0846A17E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:31.845{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A989A5FFA29A53C43FFE20D73CF681,SHA256=39A213E92EA907C8DB61A291BE2043F1FACB527830F63A116D64AE34ABBD4E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:31.464{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63A66628B505B3262C52AEFF791C4E8,SHA256=7FBB4F11FD53442292A90827B352498A581949EC772CE0524A3D6CFC2186F47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:32.601{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186A78915D3A77004832625B038E4F25,SHA256=5BD3F5F7E456902C495B83A8C059FAD65F2E6B1536814C7C26F23F258D4AA8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:29.251{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:33.619{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DA3025C445F4B00981DBB7EA9636D2,SHA256=FFD6CE2C044B9E1927D9FEC8ADF85ACAAD7EB9B356C0976F162247A8619111FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:33.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D227DC8C2FBB61182DBF8170EFBD3AEF,SHA256=8EA295588DFB6578030E76BC30A75229F5C31A9548CF56CBBB89CA86F0DF5992,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:32.356{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:34.654{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CEF7CCA0D6D2FDFFDCBB72CA03F232,SHA256=54F55FA60B234629F13019DBFBA01BB2E148654E9FDB9DC072A1CEC817DF2AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:34.119{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B130B4188F28EA5B0F359627D80E,SHA256=29A712E469F034B16821B1118317BE28E55F870481AE25B80D402CF24A2B59AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:35.674{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E44D722D13A1548D6E98139EE2500D,SHA256=8AF6558067F748F644AB7D88C49CDA80B9150B5F3EB71996A8ED1AC05E0E1D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:35.137{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6000F9A2D1C5E4C662B367C7B14EE,SHA256=6BB7228BBE1FF1EC7128D420964985B14002D526C91F603655CC050469BF1B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:36.710{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA082064A5C23DA044AE3A3C0FC6D82,SHA256=80C5741497BC58B8BEF785993EF49AD6C24F5DDAAF7967BBD3C893A57F6BC12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:36.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E11F72258A60981920335BE35EFA22,SHA256=89549C680C82E118EC9A195D61617F928F5CE1F1C7F4C072BE8425654F2987A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:37.778{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DF259ECCFC419D85AE8B475AE1994,SHA256=BB0ED9D1E72D8C2DD1FCD0A88A73D8673C9C92D4E06D2C92316FAD85A639ADC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:34.362{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:37.227{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12A2D85C716B0E0C5E10ABF088C9C68,SHA256=A9D796782F05C430AF429EAF5EBE74D69ED06843AED21CD28396B5D3B96BD965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:38.830{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3EF0A1FFA6DE319E376F3BD7538C4,SHA256=9B0AB84985B0C881B7173F58AB2A83CD0B609CFCD0FC579C975BBF729B0733F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:38.261{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C325B59BB0688308FB54B405B4F2856A,SHA256=73D3CCEBB3745740DAB55CB8C34B8B9DC7123FDE256ABA4A937FECE4ABF9FA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:39.865{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733EB766B16E5408E4DCDAA5E06BA13C,SHA256=265C4C7872FD776C98310ECEB291B06578E4C3D5D99EB3A2F6F42C9811F36ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:37.385{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50409-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:39.304{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA3E61502B4A31C4EBC4A3CFE29CD95,SHA256=558C7F3ED26030AF2060786DD472C70E5E37A7C435306E443D27735423E08693,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:52:40.750{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97447-0xc6983742) 23542300x800000000000000027043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:40.435{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A92E233F622260196D305197919981,SHA256=BD3272D929424E18C3D06CE7CEF671613A9C615B8E26C0C9282587E1A83433DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:41.004{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2F59523ED7C9C652DF3E799D4FF28E,SHA256=5A2218587E401C0CEB09AFB1C6B1256AD4AEB20B68F30BF8C8D75ADC8EC210DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:41.454{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6A87C8709B07A1B4BFF6FC66F5B086,SHA256=0EFE90B5611BC83B9C55CA801896A38624C37ACBF8911F5E116814D39BDF276F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:42.038{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB1F5AF1C710AD40CA216517A9B9328,SHA256=89B93446B46DA4485720DB8499F4AD52CD71D5014CB68E20140C4794EBBE28D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:42.572{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AB4C568A2A98D97C8F69180A9AF45,SHA256=416D725BA41F29D68E2F0EAB49648DB27699D13B970903A92A157375F96B004A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:40.362{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:43.598{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF41525B665E1AAA6104F6E5BF8F3D01,SHA256=ABBABA732D27C9C623B9079CDF6D2C50C8B12AE0E147BD5ADB8B8D3D452E9778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:43.157{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A3D7AB7A69BED456EBB31CB66F17A8,SHA256=AC9263183282EF2B5A0B2183DE13C8E7F089DFA26699C94ACC7835BD99469C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:44.647{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297C1FECE6B4E0CCDFBEAE5B2753A64F,SHA256=7FEDFBB71B2F8D08335F4EB2D913DDF17AA7F0557CCA3CBAAA9D32B5593AA16E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:42.528{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:44.176{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852DA0B0A0A08A3088AE786918146214,SHA256=CC61A0A440864165953FFBF0367E287707309B56B0DDFFED0C3255CA0B051B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:45.197{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307221BDCD8BD8D43B8B137A2D3EBFF1,SHA256=1908A7FE98D00D57C1CFD91B5F1D2049A1EEF2C65B41F6692270828B3A6319BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:45.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFB996161F57D1B90E871AC8BC4CF7D,SHA256=21DB0AD9028E422AE4BC12145070859B1EE07BB9491CF818AAF9C8E64D0418D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:46.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282B634BBFC33128859E822F7B84119D,SHA256=81CC24A947F00B9E959B14F389488F71A9B5F0A881A801AE5E33B9F9E3B3925F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.283{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.233{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7C5F09CCEAD776657C303B41282B92,SHA256=57A8D4A46D8762D584CC477AEF9BDEDB7AAFB8A1FCEF6FE36E8A355848762019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:47.567{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F85308CC61A9B35542CC6034297E01,SHA256=2199C418F7A64D4C3185120ADBA4093B3FCFAB41403AB84B2AD4351A78C87B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:47.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1491C88E2F248D424B4E30B1A43F53D,SHA256=9C2E437BF22AB8AF23639CD51B2E3DD3592B5D00E8E00ED16D0C3AF5FB623705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:47.753{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A9E58DCD852FA186C18B29DEB8CEF958,SHA256=69652D1C6E3332447A84D7D341E02654B43F9ED3A76447BE0236A5DB75CDFCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:48.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFED5D98AE42DAB6E0982A230A98F2E5,SHA256=CC7426DCBED6F5C4FC0B55B2795C0E9574FAD33886EAE0E255823A23FD858B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:48.687{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8450825A40AF842336FA05D21A439E37,SHA256=E423F9229C76FB71FD175BE3EC1A28C5BEBBC07EDDBDF464F7F95F7EEE7A12E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:49.840{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842C80BB9536757FE7AF6DF17D215CF9,SHA256=C22BBE467300FA088482637D7C486F153E41C95768458C873497A64E59DF56B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:49.725{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E065438B4AAE3B3D79028E851C9F3DCC,SHA256=C79D193DD7D20745E82746F3E747CE490D2C594348ACE9640D8DA42825C2C073,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:46.290{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:50.930{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B09F838D95B09B4FC0333E8D59CA5BE,SHA256=C3B7C16287AFB6B2617DFD800895C6B6A6BF67C112B422DC42D864992B0A9A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:48.342{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:50.743{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45136BEE32B29FF335B388BA97A188F,SHA256=84923D6D5008F82C05F1B69D5DF78BA2D590D3F8E1DD7A8071E1E821E7CF5D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:51.777{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E660F69AD1FB04AD5E8E62DEF05E48,SHA256=C36F44F214ED33A26EB64A7EEBAB4296808BCA3D0A801B436FF99172AE3D8229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:52.796{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7212346FD584FE44BDF0B7A37F431F7B,SHA256=B9BE9F34CB1FD36F137E1850F18CDC61360CF0A63137921F79EE78EFBD291EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:52.007{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CB1A6ED4E47ABBFB8D4DD276620097,SHA256=D9C4ACD7325482C0197651400504989D42D51568289EC965D82876AE7CF8385E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:53.817{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2576B201992790EFA6149BF9E85C0A,SHA256=E88C3BC2CB0DFABFA362EDA1F726C38BF701126F8E9A9415E1A511FB9F49EDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:53.108{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81718F665BB5E4ABC9F585698EE8AE62,SHA256=F43307099CAAE938A72A5F26F3B16581A1DA055AE57D685B1C07AF4EE0B80ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:54.938{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB8AC754D28A830C7033FA4083C73A4,SHA256=30C0B270F1AD6BF544CE59BE15F840015301A027757E08024A43B6A3EB4FC689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:54.209{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DE7D1C551EB322368A05C8E622C377,SHA256=A1506C559F226F88FDC651DBBCA47DAC0E16B8E149B54A55F2BF5878E4ED75BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:55.956{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF63BAB43022EF4383ED7C39D8286A0,SHA256=9CAD24EC0809F904CBD6F0824536B1AD1586F34577386D90E43DC0A6D430CC75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:52.269{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:55.277{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DA20D1191F2C9009D12C98387791BF,SHA256=1CFEE376F2071EA02B83C443F0A1D92AE3278C0273B9C2EE5047B2CEF1B57E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.412{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EBC994D005B07791514F33412A158E,SHA256=CAEB37739BFD09B8B54043C26944A815D7FFCB4E165B2EFEA6ABC47F9A1487EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.389{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:53.505{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50412-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:57.513{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B873342D1698DCA66EDB449C01AAD0E,SHA256=5B92FEC5B00E81BF119D89BF5D58DF544F087BB661962F9E1EF732688312A34D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.444{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B9999B10F395BEAB14EBEC4DDA3068,SHA256=ADB2B9F9137234EF1537D43885F2D9C9DC57FDEA13AD86195E033219DCCC176D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.209{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.206{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.009{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB714ABC9E49ECD078E7AA63A030C82,SHA256=311BA973FB55E8FBD6DAC6B33ED9F251EB88A72B923EFF3AAEE0B5549B62FB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:58.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A578A4AF7D91BE46A40E18FAC25BBF2,SHA256=DF7D79D447042472E2F258CD6D58D052506379D72A58DC2C1948D7BCCD39D5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.897{223CB5FF-791A-6442-EE02-00000000DD02}50686996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.682{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.330{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=655E34DEA7D9F93C5725A825AD9DD360,SHA256=AA1EB5F62686526C9552CC83C595247472B611B27A63337E5F4E6BCA20954054,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.064{223CB5FF-7919-6442-ED02-00000000DD02}67046684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.048{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8D243A2D899DBB33A324E1713CC2EF,SHA256=CFCD552AAA097080BEFA347E9919F9CFE9397FA1A4140B8096717C8B4D441989,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.473{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.472{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:59.697{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F792E3B9E61D0300C7B63B2C16B48B3B,SHA256=D840CA0FF8605716F9440606E73A746748A71FB46AB0BAF6535CF176841EC3EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.452{223CB5FF-791B-6442-EF02-00000000DD02}6952292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.268{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.082{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A59AB0C4B01094A48629B1B21257CE4,SHA256=5E0B031933711FCF745C6B6A824E8C130EB7276102F160D499A4163A3516FDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:59.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60BCF872CC16C81CF2973ADDE09AF05F,SHA256=6547B57F57CC1DB264B15B3FB390841CEA207744889D93D95CD58D05459218F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:00.802{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1DD429FBC41217464D0466510E1FE,SHA256=3257BF03A31A664097D890FEC737F39A31580C363A5CD5BDFCA3A3CD938B14D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:57.331{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.921{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.918{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.918{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.119{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF54A19357C7D3A694EB1419B3F7A46C,SHA256=687A8001FF709D66E5A832A40ED1EE7948279F7D92D175FE898F877430A24040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:01.945{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B199C169126F064E78104561487229,SHA256=6FF926347BAC59B7D0AB10AC20AC717A7419C4BD80E388C8E7CA62EF3058622A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.489{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.171{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D39C638B831206737F773512555A715,SHA256=75E2B84D3C4A083F2D122C4541E0AA227197D7247AAF868B1ADC5DE738EB4BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.156{223CB5FF-791C-6442-F002-00000000DD02}71327136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.519{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50413-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:02.207{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB63A2EB08509F306F282687224332EC,SHA256=1F61B33ED74FB6494490BE91E2E5F08572FAA657ECF0026936E6FC1870E32E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:03.343{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C67DCFEFF15656A58CADBD7C7D80EF,SHA256=1B3D5BD65B0E00B62FB8ED08C3E723A1CC4F930C1F621BF98C22D24874639989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:03.047{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D9ADD967EAE3B1D06B191889867EA6,SHA256=FF129E597657C439A3353D52BA3204D5D991DFDC09C41A2E23129FA5D5815F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:04.377{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379A482BD70EF5CC96A3C44961B8D9CF,SHA256=660B0F79DB70703E9C8DBC343F75E27CB6FA92EB2D6D1729C6B0A3A75C7419E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:04.106{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18C50780381A4E55AF23AA01DF5C5CE,SHA256=CF6958E086666CFF59885A6DA1CE1F7D4B6EFFD7316B2981CC598B9F057A4708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:05.413{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECE4B8A1197B50CAECBF2546A955EF7,SHA256=72A46713ACBB02D1272E404373A8541FC5598BE64586F9A962CA58794C66E385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:05.124{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C4BB090AC72D4F42E3CD8914DF9090,SHA256=2B656C319E65968934604453E22042A659616AB47C9704A449C7B1F881FB942C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:06.433{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21760F96969C55828B85DB588DF9A799,SHA256=E0EBAA6B0D6409CBE8C328E3938C281B5C6E6BBAC479A706FAC777924BD0ACCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:06.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30130A5BC12ABD02CC3642C0D92202F5,SHA256=9968DCE24B87169CE567A9F256D70B6CEEDE5EE3CE9580779A1842A27FE42BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:07.870{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=91586DEC86502DD26218D27BFEDEC59C,SHA256=847FCFC4E2F6DCA1DC0994E72EEB7B0591FF27188D71ED58CC8D658582025ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:07.570{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FDBDF87B965D68309E06EDC369B6C5,SHA256=A98DCAC6BBA07D59017044CF27B199A39B507BFCF075A53C352016BFFEBE37BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:07.310{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B627084F587CE697072E8AD12ABBDC3,SHA256=DF7C4D60B4EB0C18252CBA3FE6FAD661B6F89FD6271EB63C1C63E1F98FE414FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:04.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:03.341{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:08.640{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C5562B80CD10897B1A3ED3C9EAF7E,SHA256=9080933B14AEFE0AADB066B0DDAC35A1AB05EE85925CD4A8C89B27C913DD3B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:08.328{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4116251155BA58C9FA1EAB3CAAA758EA,SHA256=9E9E5F61843FE950735DEF4D80CD4012C87877D6C478FC41B4B54D3C64182E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:09.741{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7058245BDD7C7B93C096021C884994,SHA256=AA6B6443FA618F3344D0AF2ACFD124B028F3973BF0F77CF39EA9470C006F2136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:09.429{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300CB9D2A33D86D28C49AF325F31FBCE,SHA256=3E3BAF3738A43CF52D2896E11700534B9D348BE5A97F879AA248236EBF17642A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002c0db5) 13241300x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0x75757fae) 13241300x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97447-0xd739e7ae) 13241300x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x38fe4fae) 13241300x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002c0db5) 13241300x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0x75757fae) 13241300x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97447-0xd739e7ae) 13241300x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x38fe4fae) 23542300x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:10.858{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712C9B45C41BD54763B6E724DB0E3D49,SHA256=D829F23D667372EACC1729DE86CF68550EE04D9E6F5C3F2D4C67C84A3D57B36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:10.531{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081CAA922019CE4B009A379B18EEDB73,SHA256=FE15B866A8BB3F94BCFDEA0FE4062C29A549564D5A4EA0BE663B61BDA95C24C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:11.958{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ECACC5901CDFA8AF9DBAED452A5FE6,SHA256=9F4E3FEC6B664BFEC417DC4A5E954FB9FEDD1911466252FB4480B134D511E836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:11.685{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-056MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:11.583{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB748BF99ABD84FE434A82D6369758FB,SHA256=9FBB016C16A8DA9A234DDBAB85B2A5042A807866E3366712CEDE5482FA4C5AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:12.685{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:12.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431B8EC086740025562A875A95DABFC3,SHA256=881D1BDC0EDB8372FA51139F822A6AA6E35B03ED4274568D95694D86781381DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:13.635{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6E8B7617BC0538757574902A720A9D,SHA256=CE3539ADDAA61FC7E92F03C8740974F3DD5904A3341109C933C29DA738283D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:10.344{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50415-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:13.042{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098A6A08C7630573E5DF2197139EE581,SHA256=BB2CA2152D583562A28BE76B26BC028010FFBA5131EEC4F4CD1C59744EBDCBB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:09.216{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:14.759{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18254A732448216540CD5FFA579FAB09,SHA256=FA67DFF0AB60F257EDFDABF99F5D38200EA27B6EF96A8D417378BEF770772450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:14.160{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2089B08279380191D51281A7BAF7EA6,SHA256=0BFA188B056D44EF03AF40AC5F971E60479240031DD24BE371BAB98645BF51CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.860{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC75684083CFD617CBE15F56BF3F021B,SHA256=B8ECBD8CCDA5E6291A4214AA9F5E4E90C823AE175655C4D648B8DCC0282AFFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:15.176{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE7DC3F4F3B7280253592885C24E6EB,SHA256=C219A8761953F0C5FB3D3C9F2F2700E8C3739E670FDC99DFB719FC8DC4559FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.187{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:16.936{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC55FF6CCCEA617C652C2AA6442AEE,SHA256=BDB586020BA5281CB3786A64954A655CB5F4DAD1E010F2AFFA26BC3406F59EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:16.277{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D0543D25745FA4A378D0C4049F82FF,SHA256=8226442D8075ADC98C8FD52A6C35BF019843D5E44B38B988C60678755DC5ACA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:16.203{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98873840D5338415431A6A57B4E731EB,SHA256=3EA923C00FCDB6409B18735C14BEB1397E1407C27FD8CFBAA825634A56861504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.989{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57F56777CC582756B78E02F2A822A2E,SHA256=82D04967DB9CAE1134255420FBA61A52490B4769391A0D5393489BD1C406B07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:17.346{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F718B0CEE6033200027E9E9D7288D6A2,SHA256=554396028AD2DB78960785246C6A318C95C4FF860B9D82268AE6F932F1E260B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.873{AF4EC832-792D-6442-4406-00000000DC02}54164860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.689{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.161{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6653B74C897999066681A5A13E09FDC5,SHA256=71F5A22C59B0F9106C989FED5F912BB7AD70872122E46895B375B2580BE713AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.020{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:18.429{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB94FB64E8869E2E615E72BBFF610EB,SHA256=59D577FD5193DA068FFA22F3AD3DE4A02564D2B2F240A460784BB70CE1A64B3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.546{AF4EC832-792E-6442-4506-00000000DC02}8643340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.363{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:15.530{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50416-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:19.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8A5BF6AFBD609E2B0DB09EB01153B0,SHA256=8CBAD75674CC855F3732D72B7F85082DE8158457E87DC73782D73FC9EF39133D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.843{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.839{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.839{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.348{AF4EC832-792F-6442-4606-00000000DC02}21525640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.164{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.090{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C48EC517B53B2CF5345929BF5CF24,SHA256=A3F5FCBC39627B4EA4940C4B3CD1B6D937A5646A31F002841EBA3709F891114E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.252{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:19.281{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:20.885{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-046MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:20.630{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE819A54FE851AFDE533CCE8FA3B3F90,SHA256=48013A11244EA5F342399AB31906CA50D086A5722587080943609EBCE1EEBC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.509{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.191{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38B0986F08BDB7CABBC9AC675918797,SHA256=EF208E124514E87F53873E67B1B15A635E8939181F5C7740A4884D9C80CF5937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.991{AF4EC832-792F-6442-4706-00000000DC02}60804076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.885{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.752{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D2B3144B6734337758976EC3DC203E,SHA256=BC5466930C2FB5CB013D77BF983D15E16F3EFA01F5CFAAB0AD60CED791A8CC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:21.246{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EECD6DA5B9D9D88B68B94948CE422F,SHA256=B58446B05B6A416CD07D7C238DB76E3D7548480927FF9D13F6E98AF17F4793C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:18.552{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50417-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:22.884{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B117332255CFC9E660425E2851DF153C,SHA256=32F337C43E56C585D23AE21D7E01DD334FCD9E252855E94651E8753F58A7D7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:22.367{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC61B4C1C03F9A5C2730D8805118C57,SHA256=175C59F45B147F3710F68358003690512D341589A62B9357025AAF1C3130B562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:23.969{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52E9DAB21A2B96FDD39C8DC10A574E8,SHA256=F57C7E0C80F09B1D7B54EE2BD9EAF1EFA5BE65AC245B945BE8355ACCDAD242F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:23.395{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCED582F6726EA3337AED9E7C2F6B9CB,SHA256=374A2BBC5A816B72E1C3769590E4B09FAEF969DA66A442BAFC7481A587D09722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:24.496{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B91B78B6D06A81F5F0CA96D8330AA0,SHA256=B5A18028F7BBCA1D50A0137AC75832FFEC77ED773996348ED005EAEBC26D0CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.520{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.273{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:25.582{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76641C28083B998873C48EF0E115FC9,SHA256=55802209EBA77C493BF98FD223205A560AF1245B2515CD93BE1C3505E369F114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:25.070{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5750F62B427325D367D277F319B8FD,SHA256=ED5C0409832B6705FE17FEA5B2CFB5CC5021737CCCA1D5E60160529252F3050A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:26.715{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7C85D234669EBB6911115B18DB21C3,SHA256=94F3CE58D4425E32CE06D6D386D008126DF0186F2DB8052648F4EE734ADA6C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:26.154{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16765D622820C4D5C60D0C6C69E8275,SHA256=F6B85842E036A64548B51D53E99C4F6281EED924CA73A92C71699A17923841CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:27.785{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738DBB6FD85B891FF71B3D9D7769D101,SHA256=E1575068058C78DEA803AC36EC28808F1FD2D30963AE9FF2CF325DE7D927429A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.519{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF15CE74429E8B4176186B86EB64C0C3,SHA256=9133DD7E42456DA430DE92139DEEBFCAE9548DD398D33659BAF88A8856AA6C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.288{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FB74BDBD6492D8355DE2966B29FD09,SHA256=D3492E74010EEECB51A5D2DDFB9EA3330C6B865FAA364D6E99C908CFC7FB60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:27.331{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:28.817{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079012D37368B552D352412AC0AA08D4,SHA256=83E5077E1EE800C5FE14C84C9F2B56B13830587B6A80D4290D3036664FD52C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:28.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666550E8E56AF8074210A01A04299E86,SHA256=3954FD3F4B147CCD4E3A5146E2F5F598EC3059B491699B3C3A3D7C9D0E25256F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:29.491{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD090BF3CA5D7F880677ED0FD3E9B23,SHA256=496B42F7D829768B976275162EF690647B5D2B653D31E017D641021F2EB177CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:29.833{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276772A4D3BAF4DC91DF0CBE7519578,SHA256=C57D652128BE3EF05707923CB81659265C6414E79F14DBA6A3CE2A8F3A1880F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:25.447{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.392{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50419-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:30.576{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A785A673B5AE7DCCD876D054F29BF1,SHA256=A714C638DEA014C9A1C17A150222B4B48639DA828A9C25274EAAFB5490FC6DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:30.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239D855FF2EEACE536A742B18318FA1,SHA256=9C13B7A21062A62A25B96CD500625514F502112F2076959913EAA02365808797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:30.202{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F431996CFE52AA040CA1E1C813E161CD,SHA256=48B385A9177AA8EA6C83A185F670AAFAC51DBF057DC82BAD563FC1B1D3F1F13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:31.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645E4E289E97D7324E6F2F8F1E3789A3,SHA256=02B1F95FF7C9B729D206C0F6C2BADA1EC1CE3C658EAAE576451273CC84D04C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:31.953{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7CF90AC6B9D99D841CFC3F341A6871,SHA256=4AD791EC90004D0A239D0074FD18B0D30AF276DDC60FE9D9A989B131BE496511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:26.182{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:32.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F67FB3FD7A411618BE2172AA897E7B,SHA256=646A9FA78640BB84CCD2D0E78FA89F583EBCEAA392374329F85DF777D5E36862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:33.881{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03677044A0FD0AC2C3E1B7DAA9270D1E,SHA256=448EDE68ED794F3C4B2D3081D5717A25EC6795266E6942CBB25E6B9967812C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:33.021{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA29514E473C058C466B664B5DD4C1F,SHA256=DAFE24D5CD6CBB87576BF22575ABE3EFDFD8E211B916C7F385A17EAE6379663B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:34.997{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7ACFD987924C9D1EC066760315DC51,SHA256=F98EB321E356351F74B5817510B919ED4A5CB8AE63A62964D51FDCCDB5B9CD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:34.037{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4543F8041DCFF3074DF245AD83D229E5,SHA256=5240BCD056BD6FEDE5AE03AA01EA7858D23066F4DD0039C27F753FC0E904439F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:33.368{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50420-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:31.309{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:35.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D53AB8B394CB9C9FFC48E76A38569D,SHA256=290AF76F5B71ABC44CF23E768EE25A5B66781D5675BD7FFA795A5FD19E5BCC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:36.114{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD71E47621FE6196BD215C778EBE07F,SHA256=AEB49DB4820650026792A3FF727BF2250E139C868F3EECE2606D38F3CF1264FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.640{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=061DFA031CFB20C4D631FDD1AB9A2B7E,SHA256=4E1C8CF61272F18DFC953EFDE16CE74EE7933021238F8EE35C6157168026B56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.208{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB881D33B20D0132F0D1A54C954612EF,SHA256=EB7CE0372FD4028ED472E1094CAEA6956D78B9F77209A01910CA590E0297E8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:37.148{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE4429328DF505A80464B6327F3B0C3,SHA256=88CD9FD5C561DE8EF298191AC68DBB425D48E682288128C527BE81AE677F16BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:37.225{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769C1449DEB42C862B481C5B24D448CB,SHA256=FF5392EB002AE67220700078111AB56F63E9230949186A9830D0CF387D89C437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:38.200{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E0CA5BD35E0C95E13AD8D02D3DC294,SHA256=1980EC437F8CB76EBEA9A464B97BB8A566B2FC982FFB6788B2EA00D4B575952F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:38.359{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE923DEDDAC2F62B4936EBCFCD76CCA,SHA256=45FC3976B3C8FBB344972871C977EDC002B11B0F6D02610AFDFFF40D30A00C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:39.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978D19241AE4E8B2FE75F742AE778249,SHA256=2AFFECD7541E870A8C86FABA1C9F7B882783EB9416F08CEFFA2EDE6AE097949B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:39.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840632F96009FADB89269C108F3F941,SHA256=CB2F648DAACA33C209C1BE08EBCFBEFDFFAC9A232C6B927B813F84B945D29319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:40.351{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD970280E540C359C007065989DC8C07,SHA256=3BA78DB3559C7FF894D1B8B95D06F628DD803C52D8663433840E88CB52EEA39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:40.563{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3791E993658AADE4A1241DFFB009D5A,SHA256=E22E732B10B4578C5890009003AC09DFD4A99439A50CF53A5E3B23C11BCE3756,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:41.670{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6327D69923DA8EF02968B51286F46737,SHA256=870B68F2D288807E588070BC34BB21DF4F84761F529A9330220B3DA0DCEB6DC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:38.455{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50421-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:41.370{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F7DD7B06F66343D8E79C44E22310D1,SHA256=28A64FF0BB1A2878930A030F1F115D08C488A534839290FD88B66316FB987985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:41.700{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF28EE1F07FD6B7A1FB50952ED0879,SHA256=770785511B396E0FA0BEC8DB9C564D9DCC3D02B506E2A59839421E435312D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:42.454{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB937C33676452F2C08A5E62F1343E2,SHA256=390B98C141067961B07B748042C23B9950521A244CF79DCFB61738C8124110B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:42.748{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA712438447C18451B3709011BE7E52F,SHA256=385E4DFA12D8922553A38A4CD59F7DD7E72A2385324A6F377070F1F964042932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:43.537{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F764E4E4460C8F4CF0AF16456793E771,SHA256=13A532FAD14246731F219E1CF044DDFE47C353A2DCF5AE9A750215B00E81BF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:43.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D009CE6991F84F4ED5526AE5EA71,SHA256=FB35992686577075051810376940CB8CD9FF8C42A4B89D5E67609BC1434D99D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:44.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7A09AA6CC18CC4FA275427FFDBF44D,SHA256=8EA4061CCA8EDE7B0C33C455164962C8E7EA181E472B2C2B03AC522EB6B335F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:44.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D62CF1DF43712DBDA8C756994F14B5F,SHA256=60ECCC03A7E33C91C46D90B467315D8B15D00E9EF92C41F53F8FA925949FFE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:45.676{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369594E84F6FBB988C6025D2BF437683,SHA256=F80CED72DB75F86869B31C937A54E55A6AC58C7E4BD4EA921C913489947F8490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:45.869{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E11C2C53416BEF3C1062097F1B7A35,SHA256=D3F7EC446E1694BF2AE3D32062ABD675C152205F887B7E05C12B1F0D3E2F0821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:46.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E3682B9F4FE1ACFBF5128904ECAB34,SHA256=7E5A68B30A23201B16FD0DC9F36A143D4D2BD25C4F3A58ABF5876A34BB7D650B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:46.695{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3862073732D099A70965B89579E258,SHA256=6D9E7038089EB7553E7E375575A606C1FECC33C2794D1C0E07EC5AD7FFB6E156,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:42.247{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:47.938{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DC8A3764D7C79927EEB4F42EEF5D54,SHA256=FD8A233BFFFF7E3A481AA23AD86A0532B88C9318FBBA2C3F586A7A933B384BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:47.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93ED925ECF683A8E009942504898B65,SHA256=8271D2DD1DB3EB219294EFDBE83A165266FBDF6514C91D9564E829DDE9DACF44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:44.393{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50422-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:47.494{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CFA1C22783F25EFF97679DA01864443E,SHA256=0D707753381709FC19A6D7F635092811A97361B57C843E727F38285D772AE331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:48.997{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559697A6DE31F772C3C3BAD6C35403C5,SHA256=378A33B7539412FF8A75767EF9372C18E21CB58EE9DC9780B6FBEF62C49F3512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:48.762{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B18C03FFB831A7F9ECE20C491BA29F5,SHA256=729BDE8B230B92581DBD090714F7114771C425AC11B4C03C2E6B3DC5C5A68D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:49.862{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8F1895827AB0831B50F913AD7B6BB9,SHA256=3432F8168EC91A7AEDC5AE7CEC81DC1E5DDF0530C9CC1A7562A8265151895772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:50.983{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD268ED52C6FA72AEF920BF698C21C01,SHA256=994E8D0777D7B11FB947DB29C826D3550FB425EFDB19738AC30F13F59C996E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:50.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5248432FF98E0FD546D4EBCD9A09E,SHA256=B094D15395CD87C379893C4B583C8BF3CC805C81AAEB645EE07875DBB743B1AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:48.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:51.074{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98177EE2A4E3882A593C63C53DC299,SHA256=A709EC7CA0EFB2FCF98339C1DB3A967D6C6E03F108E8B5F6E2B13613B294CC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:49.448{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50423-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:52.100{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AB12B350EDC19E687C9A9C074F7A44,SHA256=57D574E853F0E7D656A35EFC2865877B3DAA53E6CF508CD62FA19143487E7DDF,IMPHASH=00000000000000000000000000000000falsetrue