23542300x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:25.730{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB18B942C9E4638BB7A586809359AE,SHA256=1273BCC5AF5CEF9F45ED3CEBA375CAFB4C9A17EE132F5E568929F7069A17B42A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.741{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.741{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.710{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.702{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.701{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.698{E8723972-5644-6356-0A00-000000008902}6241516C:\Windows\system32\services.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5644-6356-0A00-000000008902}6242840C:\Windows\system32\services.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.671{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{E8723972-5644-6356-0A00-000000008902}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000191067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.669{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.652{E8723972-5646-6356-1400-000000008902}10528252C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.548{E8723972-5646-6356-1600-000000008902}13003348C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.540{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.529{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.529{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:26.823{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD9A8469E3BF06F030A7E353B34ECFA,SHA256=968A9DBBEAF658354C1B9055C68AC3EF9B7D2D88D0BD68BA2EFD1C1AE2E52114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.990{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968B63CF33FDA4802CA505BB4FEDA2D9,SHA256=9EB70E4A3EE27C9A146CAD9311A95F6A5A273842A6CF9F452DDF989FB79268A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.861{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57443036CEF4EDB6658B7A7394173F6D,SHA256=9BD2516E168AE20D631F6228A5CEBBC322AC921796005F2C28FE90E7463C7150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.778{E8723972-A812-6356-EB0F-000000008902}75008412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.703{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.702{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.701{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.698{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.605{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.601{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.567{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C0678BE996B7A9B3533B0038760AF9E,SHA256=0EE88A0A1C07D53D6F2DF5469F85571D96292D817ADCBCD41CD0A29FEC69F72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.528{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98EB7DFE085D7EE844245C80EA568BD1,SHA256=C5CC878D62FE37CEE384BC2E929130409F3E01FBFC550C39369BEE7DA251FA8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:24.109{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60464-false10.0.1.12-8000- 10341000x8000000000000000191146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.385{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.376{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.339{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.323{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.313{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.306{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.299{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.290{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.277{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.271{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.235{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.232{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A0E712A2AFEB31844BDE5522742748,SHA256=4933031F222FC4BDC6A77EEE2085921C82E722CD491529F28C20D060C6DC2B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.062{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3DEACFACC4DB00F48E3E94641E2713,SHA256=FECAFE8CAA23976BDD6CB65E2A9CEEBC43D07E57A210AF9693E1E42D8106BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.062{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B275923CA142C8AD5B5D7FF28E2F92CB,SHA256=E43101C7A90FFB029251CD46F5CFC5FCBC2FE7781809D895468867F64BB5C92E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.001{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:22.884{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:27.915{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAFC3D0C9BBEACA1E28B661254CD032,SHA256=7992C8B9A24D33F640FAC350502FD70A4E2BF7D3BB4269219E861DCFB46428D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.133{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.130{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.129{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.084{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AC3F03FBD9CE34210611E606602FCD,SHA256=C44ABF67DE07C52182E29582099D2D64163F94F37793B0885F82991DBF1E51A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.716{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.716{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.715{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.710{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.198{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93250550F41C4588469AFF587B3C9ADD,SHA256=DD87F5B95FE8333BD27B2867792F14F1B4BCC88FA4B093546C68198EA219B129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.110{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5041A6665C53A5166FA1F74B51454,SHA256=C2537869AD0D547D63791A89C5E1B0D7BBF7E6F15E41726333685C13EF0058EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.854{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=645BF94CB62137007011DC1288562433,SHA256=CA2A4BD84C8AC03A2807D31DA56515577EA46180A84549F69D21EBF7DC6D623D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.419{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.415{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.413{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.408{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.406{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.403{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.401{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.398{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.395{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.394{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.393{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.392{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.388{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.374{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.373{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.371{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.369{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.357{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.350{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.348{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.322{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.308{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.307{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.307{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.295{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.287{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.258{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.251{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.243{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.238{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.237{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.234{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.231{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.229{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.228{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.223{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.223{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EA4D640D120182F97AFF81FB08F426,SHA256=F66B1F7D06F86B1791D0B9F35AB382211C4323D701E2F760E77D2B1C6C2065EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.221{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:29.005{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BFACDF8DEB54C62C180C71A4638DE4,SHA256=1670B35A63A07EFFD14E78FB05D777C4FC22FD354BCEDCF600366ABE54D13A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.790{E8723972-A816-6356-ED0F-000000008902}74089720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.759{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.759{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000191242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.724{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943751D69362A2667B35057AD14E30EB,SHA256=659B5C59C09547FDA9A54862D5C23E449CED9883D055931A5BB57930DD61E6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.591{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.588{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:30.082{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89AAE95E279E0DCC1795FEF226D846,SHA256=35ECC73449180F351DAFB8BD798698AD8E4C6B53DFAA77CC8BE14139ADE63B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.951{E8723972-A817-6356-EF0F-000000008902}48567488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.781{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8989CCD0C43E22A7A4C8CCFB541CB3D1,SHA256=6195F3D773CDE853734C7BB4083E6870F7C54445D6D172B40BCB25030E5F56EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.750{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.746{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:28.744{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:31.163{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA8F3903E5736150B2CE83FFF0E124,SHA256=86C84B1E1C2900EC80208FFF6DF2A9C3750E3DD9C97E6DF168A0964F622F55B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.626{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B27CF57625A5A0CAB40A769A332F8F5,SHA256=48B36E266D385FDA19D68B6628A830169A6CB75ED711B721DF1C72E75FC93989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.578{E8723972-A817-6356-EE0F-000000008902}24088016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.925{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60465-false10.0.1.12-8000- 10341000x8000000000000000191257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.249{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.251{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.854{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000191280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.800{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA0C1F9E9F540E0CB3C58130F0CF2F1,SHA256=996F24DC27C0BA08664713E938F46BBD85613BB3D5378A63A415E91421D96E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:32.600{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F7E562BA3E2E32EB39F07B09CDF709E4,SHA256=DD2B62B2D83133828F8272C5B7A7C79D6D27E7A20687A679D0E655ADE9AA13BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:32.256{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6C361A2738F446D89B876234B87C24,SHA256=D1EF77FFAD4EE1369D6B036BFD8D02FEDF484EB6A401AEAB8093DFF55E70328B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.672{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.290{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7B230896722891C9FBE2F0E3AB66303,SHA256=FB2A2107954045E03BD54CB0ED0DFE54E2A39916A057B96F8CE8CFF308E34B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:33.821{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943A56F9C911B89BDF0D0CD2A3020F7,SHA256=FF9DB818061551F7776E92D547FB81B058FFEF8DAD887F9406A22BAABC0D6CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:33.371{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150321C7E810C388C6B9426536016691,SHA256=57B9333C70F013989CF7ECFE45CC973F9D83F308718E6A4AA5BE320AA8821F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:33.304{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5167F07D6EE9C9EBFA85932CF77C8CE0,SHA256=BF4A2A29C6FE4066D859F9523821B0AA9A594CE949C6173974ED03A7847128B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:34.845{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131C55A2115D2C8A8BF2F942F65D947F,SHA256=47F3B9075EB32F04ED43325B52FE42CE073B33D48C645E107AF051ACFDB45C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:34.460{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E85763F28AEEE220EDD2FBCC8C3FFE,SHA256=0A0BF4785636298DD22E4B97F66BC6D5BEE2903CC932F233B074FD1F4186FEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:35.554{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43B86B99FCE2048A7E00141D484EFC6,SHA256=7A5D48DAC8386B31C1A56FE6684AA8ED3046C8466DF13C562E21AC4E719D67D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.937{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C11F62358D7C0ED575B267A2EFEE3A,SHA256=92DE5BD52F550C978E32762A8D8496BCE78E7DB34E265866BA5EB3250305C786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:36.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB548BA18CFF73E9E1110C75604C6D8B,SHA256=CC2E782D05BB51EEAA52A65FF838EF39DFB956C8292786F276EDE0D57AA949B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.949{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A23A73BDC5673A07635EA73A8E8715B,SHA256=9B985A84EBA0A6CA0E63C39B96F11AE7079CB31CC72D00986CB469DB899AA28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.931{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6BB944697B572E574632FBE4DDB55822,SHA256=42EAC640F3718C6416FC14FE086F99ED80554F7AF989881585A87B956E60AE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.075{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=55898A4C2C7376421E486DA4EC10B198,SHA256=3FAA3DCC84C6E20CA1DB73A4034EC0C6C7A43D8D63BD73C1A9166954F47AF86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:37.733{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671EE2752952116AC24C5F03DD265B17,SHA256=A92F5883586DBB200106272C21F632EE026F6D2F14BD9D0520338DC83FFDD102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:34.747{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.838{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60467-false72.21.91.29-80http 354300x8000000000000000191297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.102{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60466-false10.0.1.12-8000- 23542300x8000000000000000191296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:37.459{E8723972-A811-6356-E80F-000000008902}8072NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\85901D9A10DB11178C1ACC091B3F87900667513CMD5=5752FA13D2040388B50D0A599B755AF9,SHA256=AEE8EB879D7B426CA2495C9989E6A039E0CB9B5FC46BDFFB53CC70B7A467018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:37.459{E8723972-A811-6356-E80F-000000008902}8072NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\85901D9A10DB11178C1ACC091B3F87900667513CMD5=D6A1DC2E53EB9C8135B71500AF196259,SHA256=0FDF371D1A90626666521A6BD13610AFF369DF52B3863816C156756C78B59A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:38.813{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8D221B53513A8759C32EA9313C5F95,SHA256=CC7091CDCA060A33AEE81A3BA03772C3CB82282192CC4A872810414F4BED3D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:38.702{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=542A49B473E5F032DA3EB6410040DA1F,SHA256=149C2F0C1597CAEA7FCE2AC62FC9F7E1BDF502DB088D2B1EBC88E73F65B5D45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.530{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60468-false72.21.91.29-80http 23542300x8000000000000000191299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:38.025{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7F4DECE8D0DDCAA2733AF33E1149AF,SHA256=D764DDA0C6FFC75DAF4D260CFD9630D379975CEA3C771B1EBDCA9BAA0CC8FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:39.902{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436A05A1F39A70E0D92C28E791983900,SHA256=175A4D0DA8A3BEC39D9C86EDEA70DA5B19D1C50B15C58FD305EBF42B02525C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:39.115{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B37AED88F75F95E30A9713B69124EFB,SHA256=DEF89E2CE279950E8C050B05B95C02637504BBA19CBD83B6F4C25099F0C6D96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:40.994{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F158087E0D186CA9F5D8E63CA311722,SHA256=8C24EC9123B25C58BED10AA65DB06075F4B1A9489341373D78813DB3E7A8C346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:40.131{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16F980EFA18093300796BE7FC4EE022,SHA256=149E0F120E830147A63E48F338E15CC7E42371CB451944FE8130B25A194501C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.990{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.989{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.989{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.777{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+1422b3|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+14221e|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+142203|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+142203|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+143eba|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+143ea8|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+143ea8|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.647{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13fd3da.TMPMD5=8554CEE29C03241DFB5882E9984AA700,SHA256=FB6542D6D734A4D8C127624D80AED6D404A14B78F01E3564E0322ACDDB2A2FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.616{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.585{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.585{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.577{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.577{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-A821-6356-F20F-000000008902}82129896C:\Windows\system32\conhost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-598A-6356-3A03-000000008902}27649004C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\shell32.dll+100749|C:\Windows\System32\shell32.dll+ff2f6|C:\Windows\System32\shell32.dll+f1bc9|C:\Windows\System32\shell32.dll+aefce|C:\Windows\System32\windows.storage.dll+12c92|C:\Windows\System32\windows.storage.dll+12989|C:\Windows\System32\windows.storage.dll+1285f|C:\Windows\System32\shell32.dll+f1c4f|C:\Windows\System32\shell32.dll+aefce|C:\Windows\System32\shell32.dll+fe2d3 154100x8000000000000000191305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.506{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 23542300x8000000000000000191304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.248{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600AAE4A579EF48DD0496CFACA08F750,SHA256=0505CAD316A32D198111ADB547D17CCF2DD196F6A9B6E714322A9990427FDB2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.133{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60469-false10.0.1.12-8000- 10341000x8000000000000000191363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.753{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.753{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.637{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB89E0988F4F130DE7C1661DB939E7A6,SHA256=D3158214CDBC3BC6D055F098133D8939F0747CD25466F48CF0AB332B8DAA9E42,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000191360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 14:58:42.606{E8723972-A821-6356-F10F-000000008902}9516\PSHost.133110971215064802.9516.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000191359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.606{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_zrvkwb5b.ue1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.598{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mooqjgva.1ix.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000191357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.482{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mooqjgva.1ix.ps12022-10-24 14:58:42.482 23542300x8000000000000000191356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.478{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFC6DEE79CE1DE41FBE4D6503465A45,SHA256=2E1CD97EACB9CC2D18C701D48027953767525040AE6117BA625978707107A1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.476{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D3895618CA70DDC89E77871E6EFDC0,SHA256=3EE68130648A05AE1682D4CEB2905B5138FBC680A9C05A0602A47FB02A96E963,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.475{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.470{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:39.937{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:42.078{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47851AB1967BBE5387D88E4C6CD2E7C,SHA256=0ED3576C06D5A57E92A993CE7F9A98B394139C1ACE6243C2E2D66F495D0A294B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:43.539{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5CD70B3B2D7660742A03D2DA28CE4C,SHA256=1FBDAE442B185D77C434205CC074009494E936DA91A3DEFA6320555F8E0210B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:43.515{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6679556A0B6F46E631405C6C14DA9852,SHA256=748B36D79EB74DA183D1B6EAC39330770F73F997C482B074BFB170ECC2D2CD5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.574{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.568{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.565{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.561{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.557{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.556{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.553{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.552{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.549{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.547{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.542{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.540{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.526{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.506{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.489{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.486{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.478{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.441{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.432{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.422{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.415{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.408{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.402{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.395{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.386{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.377{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.365{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.361{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.179{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26C6470D4F7E43E62EB37C8588FB6F,SHA256=AEF9DF262D59F746CDC0310541127373A499B69C28F65D653800BCEAEC7BC356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:44.596{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB931B61DBDD5024E3FF58AC3725415,SHA256=D91B36CA0D306583C28FF0963290178B8FFCBB66423E536446FAEFE8028CD877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:44.693{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:45.667{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBD4D64BA4F93A2E78F9FCA38A62678,SHA256=0AF08EA2DC45F1FBDF43EB57FCC2BA0EA31CE7E9975273DA5B849A29BD49560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:45.781{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF6DE4B36A7338860CCA855FA52C76C,SHA256=4FFE7975A433693548A33D35F5C486DD4DB656F1F334E8A0F7BE4F9EB76AC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:46.866{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CBA942CB7B9CDDD542377247D7E5B5,SHA256=12775DFB987AEDD346FE41F2A6889E4E94ECE2F513FBB2A9873308BE7952F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.787{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA5EDF558BA8D8AF5A7CE2B0AB1AED2,SHA256=C53A6BDE0CDA583ED60D939877A17E72FC55F1A5615CEFDC468B0E39B44A7F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.734{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.732{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.730{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.727{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.386{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.376{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.339{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.321{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.315{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.309{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.301{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.293{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.278{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.270{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.264{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.230{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.228{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.183{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:47.751{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009AFDC4CC829C6C863371D3532D4C56,SHA256=3CCFA7A2C62D7BE91588D6DA1FD12D8E2D3499D918BD0BA4B9CA3E6D8E9446DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:47.953{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4477925F233D29DA1DC4353C19EB4F,SHA256=D91147BABF882930015B32B6C86161E85EAD6BC6EFF16CA21863CDDE9167253A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.807{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48FFF7A63E1177F10BC2A3056ABED55,SHA256=DEFB5DE479177F00F9BD51F16CC795826A2B48665CFC7F0A6DF87861506A3BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.764{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.755{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000191397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.055{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60470-false10.0.1.12-8089- 10341000x8000000000000000191396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.749{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:45.919{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:47.057{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60471-false10.0.1.12-8000- 23542300x8000000000000000191450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.773{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A2C83FA242EFBFD0B0EC629CD6E291,SHA256=21E46416212CC50E77A3A4D55CDD5CE18AE80AAA3959936269B82A433211AC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:49.044{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6E04F220E9510FFB6E750519BC7CB6,SHA256=483659607582B201A105DB7513B0F41D9524DDEFB05AF0B107A82F221282F82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.570{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2F47BE5543517B8BEF086DE8017296,SHA256=FAA8AC33CEAFCA746EF344FE029EEB604255DCFAB2D89EA7967B8A7FF73CCD06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.495{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.488{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.481{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.479{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.477{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.475{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.472{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.469{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.466{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.463{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.458{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.456{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.453{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.437{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.436{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.435{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.433{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.429{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.426{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.423{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.420{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.412{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.381{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.378{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.367{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.353{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.345{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.312{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.306{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.297{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.292{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.291{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.288{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.283{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.282{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.278{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.276{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.274{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:50.806{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC8EC143F29715E009EC8B4FE4FFCA8,SHA256=C026069F95F8BF1D93B65966A364F329F3E125FCC64F5E5A9202926A876B30BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:50.242{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536DDF9A828E079C7480B049E0643F1,SHA256=965AB106624F537F954B6EEC6C4F359E8B64036A9D219B9A22D1E0E3B6D7E287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B96CC38B2B6018469607C46192D822,SHA256=5590A4D623921FA0F73A1E12519FE4792E434F48B60668BE0E845799B2C8EFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:51.329{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4B0017D3665AA2D0F754374089C05,SHA256=D8D0F04105E9B56837A139AE5684E7CAC53C92B286B9A298DABD1EFEF07D4775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.324{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.323{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:52.423{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4334EB75CE200DCBD814FE40E4642FF4,SHA256=2517F97F2B8E43116FB5336EA2DD4A1D43834D6EB5E1D4C6DAADF1F4D79E8803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:53.500{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF677A1D7612AB86ED5E2A66A075A10,SHA256=476745B3923D61AF4C535A9F36689AED28D5E92C128FB5810554A37E209DC2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:53.034{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49227AB7D771E8D397D069925328C7E,SHA256=AB360D54E2BA4C2314E2793B1704111E1F3C8A0A8563C1E54B85F36649988458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:51.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:54.578{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5FFD67C812D610211439B1067A03A9,SHA256=59DF6A77D15276433310F0ACB1481E53C26B8C75F2D56EB18149EECFD9941026,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:53.066{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60472-false10.0.1.12-8000- 23542300x8000000000000000191462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:54.095{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BDC2D8DEF21118A2F9DB33142A8BD6,SHA256=1B129EAD8C25AB35C685FB8F8B2EF3DF2C22CC76BD6E8D6F372A13B64FE4DBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:55.663{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D610D3906034B42E6E822DC7238C8,SHA256=18743EDE0E98FBE8A902A51ABA9728DDD9E13CED33825A51ABDFFA6F7BB930AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:55.165{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A52B605FD6DE7658939CCA376C5FD3F,SHA256=F9B19BDE9FED3E45F2E870DEA0BC01725756DFD3304AEB534A74E7EA07F404C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:56.735{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF91A625928110F7F2AE246BEB98DD,SHA256=1DBC291914C82F59073C851BBF0878133CE264AD714D4954E4EA8289B2CEEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.231{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7202E0F7344FD43234621B15248740,SHA256=6F3CEE82B29708226260DD59068C39653A5E3041772696DE0DC70368A3439E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.905{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.826{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C3D15EF81801628E86E23142288CB,SHA256=C388B4313E6A305689E9C96F33C2E288D8A3D0D16A750BC75EFF3E1183EB9A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.180{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51300- 354300x8000000000000000191469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.177{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60473-false161.71.11.52dcl7-ncg0-lhr4.la1-c2-lo3.salesforceliveagent.com443https 354300x8000000000000000191468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.117{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60091- 354300x8000000000000000191467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.092{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60091- 23542300x8000000000000000191466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.284{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD58EC0905C2B9BF4CD5E73F22165124,SHA256=444F1D339BBB774ABACD37E83FF1A7DBD52A5DBC88CC304F5856962AF042DD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.954{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB546E4AEDD183D9D7402430900CAA4,SHA256=642EFC6BC825B07686D5D87A8DD21319D45D969FD7BB0E22665B6AB412311AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.925{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D25C145EF448154DED85918ACCF5CA9,SHA256=68BBCBF64293F29E87F35039E5A4A802F02866391948C3A228DD035451BC30EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:58.386{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A41F7CE7D8930E496936618834B74B,SHA256=39B2BAD1A1B12AC01A64207BA229BCAE0C31110105168E6EA49389D20E51746C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.686{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AD68098F2292336F8727C8965F9AF526,SHA256=4FD0B24A0BB1BAB0ED864DA2935CA77443DFE8ACC624189456B7D0306345E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.561{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A1F5DFE58850B2ABF93078E38836674B,SHA256=06DDD2365AA489D39D8D09528609A94B2C97ABB9D67F1E1BDC2AEA4DC1F12DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.420{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000191472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.185{E8723972-5A49-6356-0405-000000008902}5716la1-c2-lo3.lo3.r.salesforceliveagent.com0161.71.11.52;161.71.11.180;161.71.8.180;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000191471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.185{E8723972-5A49-6356-0405-000000008902}5716d.la1-c2-lo3.salesforceliveagent.com0type: 5 la1-c2-lo3.salesforceliveagent.com;type: 5 la1-c2-lo3.lo3.r.salesforceliveagent.com;::ffff:161.71.8.180;::ffff:161.71.11.52;::ffff:161.71.11.180;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000191477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.829{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60474-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000191476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.829{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60474-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000191475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:59.465{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD248EF59A81C28495A28A6FF38EC1B5,SHA256=1361D653940DF872F99C1B686452ECEB5AC086B00842E48BF399BDE84472F699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:59.157{3A30D728-A832-6356-350A-000000008A02}17921012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:59.003{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE8172D0793FFBB82CE026157ABC594,SHA256=EEA42029EAA2D7730EFB9FB687F2A5C6CE7D618596941CCFD21B98474420B129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:58.104{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60475-false10.0.1.12-8000- 23542300x8000000000000000191479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:00.566{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39F4D5A2FA43E2D65D222F6D25D6C87,SHA256=7BB79D5D70417CBE9055C89152064AA8A102C35FCC4E99E73649BF12FD9E3035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.433{3A30D728-A834-6356-360A-000000008A02}1372968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.090{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.024{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D7A9D2D4D68B8E0E7C03815D3EE978,SHA256=82DBC2F77112F8F965F947A47CB29A121BFD87B11D81A602E595BF57A7DF8F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:00.166{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4C087555A0EE7FF2319EEE7AF28C6C7,SHA256=3C25A6E324B1C13721A56944188EACAAF86C202DF44B42AD51825718743DD130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:01.717{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CAA2D2838104087B862AED4CDD25FD,SHA256=29DB58924DC584FC6C4BBEC75B0A279DDEF790D5B3B59CFC9B617A43222D4CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.902{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.898{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.898{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.893{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.431{3A30D728-A835-6356-370A-000000008A02}19921084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.228{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.117{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FC3124C030AEB896679628CB01874,SHA256=8F80AD10A5CF3ACC6313D8CF88C97DC689B25741211B66B5DEAC5E73067CEB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:02.793{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F5164D926151A9440C16BCD9BFC225,SHA256=E24D541938F597EA8DAEF658AF2EA896903BC3D99794D66C763071EB60BE423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.794{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6E27E9995B1A8C2DFC0E070223D5F66,SHA256=76E5156F827707B38469F6526C249D8FEA92F7B89BCE6B1A049A003A594E4884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.372{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE495D792E102C8D7BA51985CD7C2B,SHA256=B2AD0168033CCFAA2EBDD4B802BB0451F957F01064DFC2BDC0EBF126474B3B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.107{3A30D728-A835-6356-380A-000000008A02}27323748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.872{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9903868E9734885CE8F6AF198EF2CC,SHA256=EFF72266FD4D2BA933C96F8CC3469E7F3EAF5F3D80C654E4EFE95A9A6CDCD2DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.636{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.632{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.629{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.626{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.625{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.621{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.620{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.616{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.615{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.611{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.609{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.607{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.605{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.596{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.587{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.549{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.536{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.492{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.484{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.473{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.465{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.456{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.449{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.439{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.428{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.412{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.412{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC353C288C3A4A2AC54371430C193950,SHA256=057F8EAFCC32A97E5D5925D129021B25EC7E5EB234591DEFA4F2A2C5A863F640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.389{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.374{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000191491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.495{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.495{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.929{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC334F286838106A81B03C85DA90444,SHA256=65B6A53099725E9B46E949873C8F60EDE7CF38D5599E2898EB7E150FC2685388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:04.662{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD79B9C24C1835DDEA9A4DF1AC5417D,SHA256=D5ED189FC0EF3313D7892E8850D368A091996E41CA6BCBA11061AF9CBA2A5409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.574{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E27B13735B811FC05E7FBE85EB5BBC60,SHA256=BEC9E6327194CE171A89EEAC8D81E54C57141E1AD78A6574685D0DBEF8404EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.239{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F0A9A6B686397AAD406936D405AF1BD,SHA256=ECF475E26C05B64A717927F5A6EE4EE75B1F286B163DF75387A25C0BCEDA93AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0B00-000000008A02}6243016C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.913{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.787{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D78A31803E5AFA30E283A84F88913A1,SHA256=CDB70DFBDF27C828AE24BE6B9871292E05318971CEC5840F5F616C190D2850DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.984{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60476-false10.0.1.12-8000- 10341000x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.008{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:06.870{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD00157B279A438DC0347FCA13E44170,SHA256=7CE3E850727349F423611679BF4135A7BAB7F68D5E923EB3A50DFD4D1EAABA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:06.105{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E3B2F9BFF1D3A930C44CD05972B6B2E,SHA256=54B8CD6C329E2B97D672E1050D6B2C1175E26061C7FCD3DC96D02CF5B7DE8510,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.795{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.791{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.789{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.783{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.390{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.381{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.376{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.370{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.367{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.366{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.364{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.340{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.334{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.322{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.318{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.311{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.302{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.294{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.283{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.276{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.267{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.260{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.224{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.221{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.015{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63E2C8B1F4144E498F8764159261622,SHA256=6651D1C2F46792B5B148113E5B8B7333E6A2C0598900566AB87034536948D2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:07.953{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F8429C46D3F4FD83AAB4FDD9B2F68F,SHA256=AEC48C21AEC583B01D2623601201CA9350D57AE39C2FA3C0D9E2CFC95D98D822,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.840{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:07.059{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9CB50877DE1C8B27124DD73A6A3737,SHA256=5765C44DB1A6E5DA1A086B77BDA19F1A4E83A354162A9571336D864FA3DF956C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.841{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.841{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.841{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.827{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.826{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.820{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.151{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983E90322EAD0438B0C82CA647CC2B8C,SHA256=1793B5FB15B9407F31EC16622F4889B5BB0A1D6BEE8C8FB642560A4B41CDC831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:09.057{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651988093298F68FBB4BF5B549DF8976,SHA256=ACBC019F88D94BC078131DB0FD2FFCD4F1B5130DAC39CF4455EE65E17FE46C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.882{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CF569C982CEDC191104BEC08D2E600,SHA256=4AB1A46FE501A9CC4F37B6C04560001F33169D82E4CF73F55A85F19D04E90D1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.563{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.556{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.555{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.549{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.546{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.543{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.541{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.538{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.535{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.533{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.529{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.526{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.525{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.524{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.522{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.519{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.505{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.504{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.504{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.503{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.502{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.500{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.498{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.495{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.492{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.489{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.487{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.479{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.476{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.448{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.445{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.435{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.434{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.434{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.420{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.412{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.377{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.369{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.361{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.356{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.354{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.351{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.347{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.344{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.343{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.339{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.339{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.337{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.210{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E0117D3CF95613A2B37C4684B5A4E1,SHA256=E07BEACC391CE5723B2C05F9A29616247B9CB253A545F6C285F0790271BADCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:10.507{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBC9E62150C08BE71780DCA3BA3719C,SHA256=8D94B8F229134A44A7D7B6418BA364E368637DD3FAA37D101D76737E170ABCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:10.140{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B364E36394A360FEDAF251C4AE1494,SHA256=B58996351E4D2CCACF658E30FF3D1BDF7470B7DBD0B4B8873E7AE9897524854A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.023{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60477-false10.0.1.12-8000- 23542300x8000000000000000191618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:11.557{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6A3F56CD1DD1237C87417F5A77323E,SHA256=5394A1F1BBFE9E0E3CFE132192B79AE68E9CD88D5D281DBF6F39C43D09407203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:11.236{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6557A59B15D64F66E4A137CC8FEFAC4,SHA256=CB4FB6D4B3A9D815EBBCCD4DACAB7E4E78454A0A18542CF807A14CC9024296FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:12.626{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA31ADA8E79D6594C6470C8E3DF2BFA,SHA256=D4C5317027B58CF98BD0482E7FACDED2B11D5C6641362E627A7C3E6B83AF5A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:09.820{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:12.323{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0A2FB96294919D09B94B299C698E5C,SHA256=83BB775C09249BE1D264256FC15FB5A87C333B5CBB1E171A455F213B2B37D869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:13.691{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E700E93AEE4021E5012B373675E69CAC,SHA256=AD4A908B070E460627309A5A8DE66EB00EF87E2097DE311AB3AC5354DD042234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:13.414{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F36633C4A985655B9E5437E94386CE1,SHA256=75A0E7A7B18A4209AD5518A922887DA70A08C7CD15C339077EE2248DBA01DB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:14.730{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97D0E651B193061774028F7021606FE,SHA256=5EFD9838A471A70E5B3F6B133B26F37CD6F138179FA2CB50098DA1B0DA3A4CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:14.509{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F047A245C55F8E9BF2B7713DBF65DD,SHA256=DEBB5692439D86F3ACE7429028919F23065F845BC5ED10BF7106BAB6F325AE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:15.865{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEB7C00819A6CB8C51E24B90DBC404A,SHA256=F99B18BAE6AC4AC17E2F5A34F606A3877D899A2D06BF680C2B483797C8D3AE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:15.587{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC36A9927D49EABB5CE78D121C4A32E,SHA256=3278D02FEBA8FA6E34CBB8C47D6EC1FE59742B5679DB7CDC36594CB65A360D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:16.949{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5F6A50B2242091FF7421856F5BE5DA,SHA256=D75A4E7B1E8F11BEBCF867E9E1EA51400390A6C968C2AB11F14D9705A2722255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:16.674{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6886FDE275DC17F32CEA00BAD228DC,SHA256=7250DC9A635AF37D50EB94E6547D0998D55BAC5AB97532C93CA6BEE9081D817B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:14.031{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60478-false10.0.1.12-8000- 23542300x800000000000000098757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:17.871{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:17.777{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D8D04DDF9751D1B5FAB78AA9A2C582,SHA256=AF2CEC39BA2185DB80F5F56E6662191167E89D16758687EC9491BF4AD46068BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:17.049{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_145436MD5=BF3A9D399F13783D6AA4CEB1B50758A0,SHA256=CFF55D8EF4559A2B4B717E8117A6F27D8C6CFDB94B8D383A0E1D1CE72BF34E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:18.864{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726BF8586C0E0A7B3B79283B2629FD94,SHA256=F7FE9CDB4544ACA51C1A31B472C0691D70120418DDD0833BD8232C009EFB580B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:18.271{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7DE05253C4FE21E7EA26B7E9E1FC265,SHA256=3AB58801611342A08270705A8900F4CCB209D45AC5986B1924B68ED0FBE0C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:18.019{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0692C7980490DCC82617A605C7243303,SHA256=B5B3DE14C865460ECFF1B23B56EB1A1BAC06EC08936297D556CF62BEF5A9F09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:14.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:19.969{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0234D791F3AA2F2A7AD9B3D8146C1B,SHA256=449E0918996DB7C59281626C5AC60B119AEE65753EAAE1C7ED904813F397EB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.688{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_145436MD5=74E174966361102963F5CDAB5D4D3ADC,SHA256=3E0F062979EA9D268EF3E3C673A4D05C234D6870C571282DCB31C8B0AACF0CEB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000191631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.683{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000191630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.683{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=C39D59AD8F8E168D638231D3D4771657,SHA256=31B3C02F1605C7957E5438CAFBB9DF8AB9E83C76B8EA92E1CD2C2225D8A3FE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.070{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85F212F027AF4DE6768A9EBAB21D80A,SHA256=EC6C949EED1A3C654689E5137E7208BE29E0DA8DB238B2B300C29142D781548B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:16.548{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000191634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:20.827{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-340MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:20.139{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316DEAF9B1EE516FB3006084ECA6C33D,SHA256=26B81F88DA3691DAB8FB3AD2A839EF447E6F649D5B2DC4FE92B840A0CA567A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:21.075{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC7CEFBD6375D1EC5DB47A5A577EC7B,SHA256=88D25B4B5A90F1CA4B71D178DC76E629EFFEF0D936181AEBF550AE2CEE532CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:21.827{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-341MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:21.205{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A48CD969C517250BE8A846F09E6B4,SHA256=3D39F48FC8C3DCBFFB5107D5BF8376FBD4E657EDBF3092166838E0CBD40C1FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:22.431{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-330MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:22.163{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03961CFCCFDCED8772514254D725269C,SHA256=0AF03CF9CBA04993E0367BDB91EB5C88283A4181E0E841EE602F720BAC747373,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.442{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.442{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.442{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.260{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1864DACF7C5F8B684A4E484775EE15,SHA256=F268B50A1E06F774285AABC58D8AA89ECB803C1D19100E087776B9F976CA1E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:20.042{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60479-false10.0.1.12-8000- 10341000x800000000000000098795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.620{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.607{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.605{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.598{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.597{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.592{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.587{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.584{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.582{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.566{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.538{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.535{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.516{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.468{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.457{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.438{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x800000000000000098774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.431{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-331MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.427{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.420{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.415{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.408{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.401{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.389{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.376{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.373{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x800000000000000098765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.251{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C029C059A31AC6205165B57A56DA75,SHA256=F1ED44874AE2F28B7D528E9F3691A0551261AD8223B8C69375D1120439F80CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:23.305{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A5EFFEA0FC0F1AB7ED928EEF596B5E,SHA256=6102A0472BCA79FBC2054118DB14493B05CA3B3422E307650F191A6D44415FD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:23.205{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:24.826{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B99D4233BE16B94FCD902815E3A7DD,SHA256=59670C51BB498423E92791594682A9068E1B5156CB0613AED4EE8B34B6426754,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:20.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.684{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF1407c11.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.507{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABF269B4DA23AD129EBB8B0C7087DAF,SHA256=C8D60C82E66344D2BAD58740977F13076009EF238B10561A6E13E0EA0BBCFEDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.341{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.258{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.258{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.258{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.257{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.257{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.257{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.114{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.114{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.114{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-A4E8-6356-590F-000000008902}101129400C:\Windows\system32\cmd.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.100{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000191648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:25.650{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8EEE485DB1426666A10D90A2808101,SHA256=645A906C0052586425ABAD1B686E7D5944E11A0396AC46474BB2BEBDB2F05E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:25.432{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CC3E60D82705923D1423F21F54C4A2,SHA256=E60F69BB242F3FA9ABCADC369A542DE25F77D2F1D9FE7EFF3A83D1761F34B407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:25.132{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08F67B5BC9B3EDC13456C2E50455760,SHA256=F6270169839CC93A5C304003C823C0A30C4F487BBBFEA235A45D72AEBEEFBD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:26.762{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8D38A717ADE2653B4ED17C928EF609,SHA256=5492F6FA6A7A169611747C4EA518F9BE317A6CA2A09A849C75AA74AE6A861E5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.758{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.756{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.754{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.751{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000191730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.722{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FD653D54A0F850661FEC6E49D75D19,SHA256=67409FEB0F78D7A66FA5D79AF984161A8765BB98771E7BB48393D910388960FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.684{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.683{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.681{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.680{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.612{E8723972-5646-6356-1600-000000008902}13004384C:\Windows\system32\svchost.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.612{E8723972-5646-6356-1600-000000008902}13004384C:\Windows\system32\svchost.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.414{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.400{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.394{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.391{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.390{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.388{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.364{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.359{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.347{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.341{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.335{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.327{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.318{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.309{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.302{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.294{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.285{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.251{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.247{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.011{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:27.860{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAF5469497E0917C07B28F39043894F,SHA256=89306E1B1BF31181395C65994611C1603220ACBB8E0E159D02FA22FEEA592053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.808{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AD40B44EAA0C9B4CA52011BB254E42,SHA256=BE4E6A1DAB20AF418677DED329E6DA2CCA89E1ED0E9B5359CCE4C018F924BCE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.435{E8723972-A84F-6356-F60F-000000008902}56727300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.272{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.270{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.270{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.268{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.095{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000191736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.095{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.095{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1408577.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:28.937{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFFD468A879DAEDF92BAB5157F5F29,SHA256=26EDBA584DF57FEFA0D9001D665BE87F4641EC9ABE07E02962F2981FE91C0410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.937{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BC48FB861C9FA73156776D3A41D655,SHA256=0F348FE96DA9545C26DDA74B5BD311048F1414FDAC3E8C80A77DAD42C778391A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.817{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.786{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.783{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.768{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.716{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.213{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F7AC8B9C6FC60313F6FC0F949CACCA06,SHA256=753752F88B1D4C0F718587275999F5A82134D44418AE9C5F39F6008E34D6119B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.021{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60480-false10.0.1.12-8000- 23542300x8000000000000000191812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.889{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B747DF61137C5D1492A072354F9A05D,SHA256=2AF7B498C8EBC8EB212B761D117994EBC0D1E361C7C47E06E567775C34626500,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:26.850{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.629{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=412BDA8178368A4BE054BF74A31D26C5,SHA256=2B801136AD7F434B93D5A48CD036A028B527111C78843E961AD9A838399823FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.602{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2E575970656D83CE6C4CF16E9C3081,SHA256=F42B7FB6AFDAC453DC652F4CB243890A24ACE26B268E427A9576C054A4A7509A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.528{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.520{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.519{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.514{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.512{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.509{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.507{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.504{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.502{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.499{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.496{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.493{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.492{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.490{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.488{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.484{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.466{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.465{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.464{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.463{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.462{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.461{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.459{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.455{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.452{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.450{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.447{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.439{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.437{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.400{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.387{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.387{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.386{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.373{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.364{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.332{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.325{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.315{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.310{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.309{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.306{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.303{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.300{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.299{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.296{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.295{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.291{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000191829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.942{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C83F3BFAD9083CDCAB61194EB8887D0,SHA256=4115994B14B4870CD5F0CF84758C2A0809D5C4512EA34D38E8B308D04AE4AD0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:28.055{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl54411-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x800000000000000098803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:30.039{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4778820187D949ED8896F3380765F5D,SHA256=EB8B9557027B090827A5DAE2F412864749D808B9C0324D6C5EAA307CD88CB13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.757{E8723972-A852-6356-F70F-000000008902}95486676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.593{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.590{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.590{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.589{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.017{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.017{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.017{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:31.131{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C192C312376EF73530F3A1F8D8A04EE,SHA256=CE92DE03BAB8E4C2D05D50203B5669AA97EA464D69AF4D8F5EA15205A4C6F618,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.821{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.693{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC6E3C666600804BB0732E97A2439317,SHA256=A24FAFFAF8676723E22B2BC2C5891135145614C42B4F98E55962B84C05523676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.439{E8723972-A853-6356-F80F-000000008902}75408568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.370{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.370{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.370{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.369{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.369{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.369{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.259{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:32.232{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389A44378F6E059A9AAC1B31AD7A9A5D,SHA256=F695F7B86FCE9D51111D2EB26FEA75062570B4066E42F2097B4AB4335D474A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:32.186{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=71559C70289CF26AD20C2F3F0549BCF6,SHA256=97FBCE60BF018335C5293B184892F49C682764B8AA5B248ADF8CF14446EE46B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.043{E8723972-A853-6356-F90F-000000008902}19885248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.028{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5AD01D33C399FFB6274E20FC5F2AC3,SHA256=1316B0B6F44E365800CAA42E01FB35A2030D5792DE18AE147C95F7F69F3C1DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:33.323{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D79BE38504949C8E566EEC8C98E459,SHA256=7B17CC49DAFB662188D8331DCFCD37D5BB5DE19242C1AFFA7E071D3AEF146D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.077{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60481-false10.0.1.12-8000- 23542300x8000000000000000191864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:33.096{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442185FEFF58432A54F604F59CE5A389,SHA256=FD311CA2C5123B3014F8B7DA61A518B54E1F8211F94C496C0CB8DAE0224489F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:34.278{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025995A083CA10AFAE723667018A8F0E,SHA256=AC5C07770DCA74439DB78B86FABE355BCEAC975B0EAACA240700E0543C94CB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:34.430{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB84258084FFDEBB241DF3E59454B6,SHA256=580EB87A05493FA249E83B134461E57456A9365875B6448216BF91B66FF3A910,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:32.834{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:35.515{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96F1D7AC6577DE2D32F9BC83F3599AD,SHA256=ABDBD41E2613B93D20FEC3B6527C63A0357309A7BBE9C4A26804B92514A15909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:35.425{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3C4B7A1A7C8F59F1FBB08E23CEF2F0,SHA256=4EE6470A24FA07EC03AD7CFC78055BDC5E70EB05C59C42174981F6EF15195FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:35.241{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F7E21ABBCEFEF7DCE1EC8A2AFD682DF,SHA256=427881D741D0F35F90B06E24BD669FFEBB56D5A1B101C80CC4B52C91ACA1E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:36.592{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CE486A5BFF8D62A9B5F75CB4FC41DF,SHA256=4EC5E77968F90A6040C09149899598086960BB0DDC58EAD3BDEABB82E4D93D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:36.683{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=D402711DAEB719158E1C3E7FF9218B0E,SHA256=748BCEF8134C54489FFA2902E262EE4456D59B80D331BD4A81164ACBFF13378B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:36.481{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AF2DEBED830B969786F294CF7AC13A,SHA256=C00B611E6C09BBC834AAFC917982F139BC8CEBA1F593EC6358889000C4DE1BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:37.679{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3DB39EB534C89FCA74F566D7AD55DE,SHA256=DC4CFFE5C1FBBFC9D6B56B9981715ED1BFAAE4187C64F289D4BAD62FD6A4FE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:37.648{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88650CB0E4B4AA1A2CB1DB3DF5154EA5,SHA256=B5F863D1AF5FDE576ACF6F304333DBEAB86B8BA40E0378EC3447B3C62A955A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:37.567{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E59F5C30ED36ACF2BA1E17227BB62D3,SHA256=187EA9321E468043FED0A8B7C072564859BAC034C5367A2C9466288124F8C958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:38.664{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10D18A0029D6F8613767673921B5F3D,SHA256=23CEBFFBC3002426AF0006EDA2A07457BD2E231C3DEDCC1137E0FD1FAEEAF154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:38.632{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D3EEC9466408E2BF50641E117A0E04,SHA256=BA886095D0443917DD083835C3791B0D2F4E68ED56710CDF35C586C79D580CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:39.737{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D89FBE1D5498DC11E3ED8A7D7A0A123,SHA256=550EC14CAE6CA365835D8D4B7E02B03E5BEE69E567996435F5A08C4170344495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:39.691{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83117312B5E9E05E62478751ECA9009D,SHA256=EB31E09B5902329007CA4A52D1E87E7149F61D58CD796A295DAAF0A39FC2903A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:37.070{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60482-false10.0.1.12-8000- 23542300x800000000000000098818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:40.828{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052A47B7D0CC619AA345DE00970222A6,SHA256=C3198B0615773832A7B7917E849D18C61F68E860C5DFA216B3CA1B87756C24CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:40.837{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC9B50F0549C5F5750CD31243D0B884,SHA256=B064497686D93CD1DB212AD8C0BAE46872E8180F01D63594EB80A6D6A0DB8371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:41.863{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EC7C776E41FAF84124571D7754483C,SHA256=48B4F00F72C3F009B14B94411F3A78CBF92125785C92791071DCB3E1206ED8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:41.912{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA90DE18604B7D59C14CB166A555143E,SHA256=F7D4CBF0CD8F951A1265D491AE445D4C22AA784C041ACDA75C9DB478A9389C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:42.942{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358D0DDC2113D6CCA03F1444D1D4B10F,SHA256=04816CDA0A79E4A7AFF9412D0964FC01820024359090219C1D7F4B551E24D805,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:38.841{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:43.968{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE8C4A75FE9BEFFDB204EAFBD5C54C2,SHA256=9D1DF44D07E69176FD3C52230E2CECB5784591F0B387B17951B03453487121A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.609{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.605{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.603{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.596{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.594{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.582{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.578{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.576{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.573{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.571{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.548{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.536{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.512{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.509{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.496{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.470{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.463{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.450{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.442{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.431{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.421{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.411{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.401{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.389{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.375{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.370{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x800000000000000098821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.009{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E627963FF2D3A8E27D410D93B3DC50,SHA256=7F7F087930259F6D5A2D7B066CE98EF8BDB5CD8B6781160ED8A81450DB94043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:44.142{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26EB00DD8A2E9E19114B542406AB8ED,SHA256=0CC8664BAC24F9D2D55847E6BADCCCE0FCE8A09D1D634DFFE49BCC69E0F49DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:42.930{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60483-false10.0.1.12-8000- 23542300x8000000000000000191878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:45.047{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CC395A3541E79129684561F57D1191,SHA256=44952B3F5031DC30EB5CD004F30399E32EDCF98CC7CB3AE90E035848C15004D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:45.196{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC91D7884703A791291DB07DFF265503,SHA256=364F4053A4FC0CA6C5E885E021FE0C0C3C4031D2F8F6543B2CFA52A67545180E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.716{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.714{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.712{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.709{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.415{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.397{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.387{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.381{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.377{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.373{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.352{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.346{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.334{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.330{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.323{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.316{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.307{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.298{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.292{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.284{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.277{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.237{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.235{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000191881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.189{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.173{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B200D1D8583F4535DC6CF6F0CDB2E5AC,SHA256=79629962536BEC1766C9B0EA6AC2137E91EE7E1C02585CCF435DF5723D0D35F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:46.278{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5724D44D217981E9383457B166CEC2,SHA256=39F849BEBA3BAEA131689707BD3F9B79E10141DEEBB1E76E4790C78DFC827206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:47.355{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80B33451FBCA3626416A135712751AC,SHA256=AED9C9235EA268DF7BF2004639969126A7A0CDADB75B711A14E9B3ABA0D08DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:47.191{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21B7164E3923399482A1D3BB403D8DC,SHA256=43C12FC3F999C77B18E2E849E7A2DD9910BB3B25ACCE1B7CBCBEB676DE163D61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53687-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:48.441{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C66D18641690F84704CA0781231096,SHA256=FB886DD429F051DD681D42E6E942E43BCC6A485274E530C515EA5DC4C006FA76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.745{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.744{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.739{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.278{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2B5461A97C9E28D07B6389A4DFF4A4,SHA256=2D1980A2C87952C9F16D4C25C001CA9444508757D8FB00B43F6BB4FF35729172,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.542{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54450- 354300x8000000000000000191910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.539{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60485-false161.71.8.180dcl2-ncg0-lhr4.la1-c2-lo3.salesforceliveagent.com443https 354300x8000000000000000191909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.479{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59584- 354300x8000000000000000191908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.453{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59584- 354300x8000000000000000191907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.077{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60484-false10.0.1.12-8089- 22542200x8000000000000000191966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.547{E8723972-5A49-6356-0405-000000008902}5716la1-c2-lo3.lo3.r.salesforceliveagent.com0161.71.11.180;161.71.9.180;161.71.11.52;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000191965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.546{E8723972-5A49-6356-0405-000000008902}5716d.la1-c2-lo3.salesforceliveagent.com0type: 5 la1-c2-lo3.salesforceliveagent.com;type: 5 la1-c2-lo3.lo3.r.salesforceliveagent.com;::ffff:161.71.11.52;::ffff:161.71.11.180;::ffff:161.71.9.180;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000191964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.490{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.482{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.481{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.477{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.475{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.472{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.470{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.467{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.464{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.462{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.459{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.456{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.455{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.454{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.451{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.447{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.432{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.431{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.431{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.430{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.429{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.428{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.424{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.420{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.417{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.415{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.412{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.402{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.399{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.370{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.366{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.365{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4761AD7914053DD5E7928970521EC7,SHA256=8DCA7995AA04D37D70ECD3465745D414F5438BA2192CE0494FD20BDF519758C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.356{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.355{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.354{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.337{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.329{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x800000000000000098857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:49.534{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC8AA9AF937A8B70F5C1FF303AC82DC,SHA256=B2D9D71B372A0D351412454D8E6BCD42503591CCFB703E0906C0ECE84907E965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.296{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.289{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.279{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.274{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.273{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.270{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.267{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.265{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.264{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.261{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.259{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.257{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:50.979{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4626C2612C7E63A452ED0B237E3CE4A6,SHA256=D94A158E7FC068210A3DA9CECF01B6B108B42A4CA57E10DFFADD09FDC0E1A6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:50.628{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7536145A4EA5C61478745C2B4D5F8253,SHA256=FC0A48BFAF8CE2EDE3DBEF3D33D8B4549A38022AE1230ACD503F5CE1AAACFAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.943{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60486-false10.0.1.12-8000- 354300x8000000000000000191967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.096{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54586- 23542300x800000000000000098859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:51.719{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5324A1DA74C81725DAF0F29853CDEA,SHA256=3795D522CDA97FDB0A8FE2111D0311A6534AAAA3715ABE49B8CB8255D9110E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:52.814{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D075E8A654DE1D228DC246F940914527,SHA256=4E5A0255D6F0881E317F3562CEAEA8EF28C0B460673E7501C49A6590B45671D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:52.029{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F99330C387E90964D0F5D788A85A34,SHA256=5D88CDB7822D98E80730CE56D545857BE80FCB3C997C09CA029BA20B273BA670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:53.910{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F226F9507D1B338AB6CE1CB39B20B9,SHA256=B130331D896E7C07516D5708ACABFEC8BD6AD4557ABFA4C04447DC5BF42D90EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:53.158{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7A86DEF0837353E90F5DF5A4303AFF,SHA256=2DD2B6C7F3294F46BF01DA5D1D3B9780AECFD27C2898B8812AB1626985C083C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:49.742{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:54.994{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E78CB2815AAD4E600EBEB8D36FAAB0A,SHA256=EFF47DA837A1EA8A20B6B3985F5AFBC611C3D8A4900EE169E9FE006CE0FB5AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.982{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCBEEDD524F60791B30964DFE9D45D1,SHA256=1A7A469DD36653CAC41A6DBD8C11FC91F5B4368A84EF8F5E518AD1D5828D66D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+40098|C:\Program Files\Notepad++\notepad++.exe+4146d|C:\Program Files\Notepad++\notepad++.exe+f24c3|C:\Program Files\Notepad++\notepad++.exe+d4fce 10341000x8000000000000000192035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+40098|C:\Program Files\Notepad++\notepad++.exe+4146d|C:\Program Files\Notepad++\notepad++.exe+f24c3|C:\Program Files\Notepad++\notepad++.exe+d4fce 10341000x8000000000000000192034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x8000000000000000192033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+40098 734700x8000000000000000192032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.659{E8723972-5654-6356-2700-000000008902}2636C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000192031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.659{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.642{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.642{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.642{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.641{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.641{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.641{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.638{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.635{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.635{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.635{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.634{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000191996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.633{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.633{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.632{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.632{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000191992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000191991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000191987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.541{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000191986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.540{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000191985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654|C:\Windows\System32\SHELL32.dll+13f3d3|C:\Windows\System32\SHELL32.dll+13f44f|C:\Windows\System32\SHELL32.dll+13f21a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x8000000000000000191984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654|C:\Windows\System32\SHELL32.dll+13f3d3|C:\Windows\System32\SHELL32.dll+13f44f|C:\Windows\System32\SHELL32.dll+13f21a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x8000000000000000191983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654 10341000x8000000000000000191982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654|C:\Windows\System32\SHELL32.dll+13f3d3 10341000x8000000000000000191981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.497{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000191980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.482{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000191979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.482{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000191978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.482{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000191977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.459{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+11f14e|C:\Windows\System32\windows.storage.dll+11e956|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834 10341000x8000000000000000191976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f265|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f|C:\Windows\System32\SHELL32.dll+13ff02|C:\Windows\System32\SHELL32.dll+13fa22|C:\Windows\System32\SHELL32.dll+13f63f|C:\Windows\System32\SHELL32.dll+13f3d3 10341000x8000000000000000191975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f1e1|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f|C:\Windows\System32\SHELL32.dll+13ff02|C:\Windows\System32\SHELL32.dll+13fa22|C:\Windows\System32\SHELL32.dll+13f63f|C:\Windows\System32\SHELL32.dll+13f3d3 10341000x8000000000000000191974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f 10341000x8000000000000000191973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f|C:\Windows\System32\SHELL32.dll+13ff02 23542300x8000000000000000191972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.182{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A7BF01ADB49175C2B245492372EBCF,SHA256=1F528F8A36C0D2CBDB171B32A2B2DD20D73FC155F8666EB89EF00EC58F095D6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.984{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.984{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.984{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.745{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8F6100523565CB6E03CE9D1E840ECC,SHA256=645CC2C80436EA98FC98F874082AAC929B9A9D7ECDD679A5470E74FD1F3D42D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.585{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=28D79F096F6F3DB6C5D5BD86430A193B,SHA256=8CE225B34141FEA6FF08EC0DA2E093BAAA348B8479218AD59A8BE299413F77ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.299{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96239C9BBFE783E884D720C27AC94223,SHA256=550E4E38C248560BB8FDC7A54B580CFE6CABCCDD02EB3EB711746D5CA0286575,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000192053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.536{E8723972-5654-6356-2700-000000008902}2636win-dc-ctus-attack-range-702.attackrange.local0fe80::75c1:3a3a:67d4:9dd2;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 23542300x8000000000000000192052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:56.384{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F523C0D32D5DACE6D9FB07E41895AF,SHA256=6DBE97FC92786A8B4D52D0F958DCFE4F6CF906BBFAB87F2A813C00BC676B76BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.552{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60490-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.552{E8723972-5654-6356-2700-000000008902}2636C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60490-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.534{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60489-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.534{E8723972-5654-6356-2700-000000008902}2636C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60489-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.520{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60488-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.520{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60488-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:53.947{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60487-false10.0.1.12-8000- 23542300x800000000000000098864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:56.084{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A4202321451ED3B292319A2D03CFA0,SHA256=F1DD9CE13576B840329807A92BB00479A2C1F8B04731E99731E24DDB33E0D07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.399{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AA375FE981EE824088F173BB757906,SHA256=9D59AC6933FA504C0C1AFEC8937610D3C13737167248A02CB89B0508278A287B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.918{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.170{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7622A27041454BDF5E7BB4BF68D2D3AB,SHA256=E28D7BC31413755A3DCE5E6E0A602DD28E0DB92C7E25750B8D20A19594FA2065,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000192055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.115{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000192054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.115{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=D679CB8E34316319E728022F17DD5A5C,SHA256=062A8BE0E41E4DB441D5E580B23AE4A6A1B3C4A82B72CE322C917689F75367A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:58.502{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A4B2C690B0E1BF7482242107B2B2CC,SHA256=AC03409F304A552ED77135FBCC7B063A32249704A7A57E223A94840E8E9A2B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:55.738{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53689-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.571{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8799EF8A053C87E991B90A9185CEDA78,SHA256=9B289D792A52B54AFB336D42B0F6A2F25AA3BAC5C3861ED7ED882C6DB160576E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.494{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.463{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DAE6716E23FEC75446E32600C0C3AE65,SHA256=735AC4B2251DD128AF911A8EFCC6D167FC79B48DCA4B1862AB9E76C28D04626E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.245{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246BE63003E298572411DBB4E75AB550,SHA256=62C3F55C1C6B623B1DDD00E5D11240E5DCD645932C7711725CAFE1712BDF7D37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.121{3A30D728-A86D-6356-3A0A-000000008A02}28242580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:59.768{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE2AEEE7968E58B8F0F7AABA4E074154,SHA256=984AEA24C9D19D4108BD21484A5C2824063FED8235E8E1811A9D882E25AFA123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:59.614{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45978C3B481F1DEB6C0F53C731FECB84,SHA256=9F4D930AE8E4A4680F0EBFDCC8A6C19FC5544D62248CDD344292571640730E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.446{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51A18F853422F4E247A74E60C596E7D,SHA256=38C3D1084551FBBC1C8E37E365AC03BF03D18D4701FF83DD2ACA7007A393AEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.850{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60491-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.849{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60491-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 10341000x800000000000000098910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.118{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.008{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81190760EC3FC934D0E4AAB96D3F4CD,SHA256=2AF325029341D2383F5BB752A276F1F978E947188A84A72D4919A4EF78D4CE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:00.640{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C70E97210FFD642B753D1D6E2F248C,SHA256=869A779B44C01D3B34012CE7FC7FDFC2F79C5018269D457634F3EA7FF4350545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.544{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF12521CF4D12FF72B30E61B22F18D9,SHA256=7FD702C7930E3C048957532F9E9BB52FAAB835F4AD0D2BB926BD759DB81FCC47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.263{3A30D728-A870-6356-3D0A-000000008A02}2964580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.092{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000192070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 10341000x8000000000000000192069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 10341000x8000000000000000192068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 10341000x8000000000000000192067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 23542300x8000000000000000192066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1529F0EDACAD60E0992ABE9F47F37429,SHA256=B7650F81B38A88FA273C5CA65D679D3ED7F577A6C21042608F14A1A0BCF932FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.747{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.637{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B770DC46DF69FE63CFEC8E9D52CBC4,SHA256=471195958F8DDA3F0EB709D22004916AB7F10FA130C8DB14B45ADD656BAED404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.450{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.441{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.441{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.514{3A30D728-A871-6356-3E0A-000000008A02}25564036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.246{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:02.728{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392028293DB980272B8E42042080DB4,SHA256=B6C53A5A8837A670CAFF50A58A7A6FEDE810F15C19CE1DA5FB5769B3565DFF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:02.792{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207E3786659D67AC339946DD7992766C,SHA256=A156A65822A42789DB27D990FCE6AE7090E13CCDEBC54624BB03560F98FCD5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:59.956{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60492-false10.0.1.12-8000- 23542300x800000000000000098956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:02.386{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=24A4A76CB83C832B2373EB525688C255,SHA256=96BCB4A3A966C7FB4AD60B0ADF148284345E7E9F01ABCEF761A3BC2FE9F7D316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:02.028{3A30D728-A871-6356-3F0A-000000008A02}27721336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.841{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.838{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.835{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.832{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.831{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.826{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.825{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.820{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.818{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.815{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.812{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.798{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.797{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC6FE4722F17F2FDC904FDEC938797C,SHA256=89FFB77D8FF735DB6D1BD45AE2E2918FFB54F68321DA77B7471C3A9A7AAB369E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.792{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.773{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.757{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.733{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000192077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.808{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1D63E500781916C59DE4245DE7A539,SHA256=DF34699A62595A76C386DA0FCD6510827FAED7B2176570E22B2CEB2075DCAD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.728{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.714{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.666{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.659{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.650{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.642{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.630{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.620{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.603{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.525{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.486{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.391{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.387{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:04.876{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2D44694DD502730634955A4B4B6A96,SHA256=184A15B9A53A6DE1A3AA449CD63B4AE843501BF3572106CBF47E013A27F44F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.875{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87ED4FB4D4FFFE23547510D2B1F7A63,SHA256=DF807CB4C80267011FEFCE159018E713185853070C7102004738891981144940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.960{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B284F3B5000F4437A0CD0C9842489F05,SHA256=662B37F47D0EAAF68B6E5981BD43BA523C86A3B6963F1743CADE4CDD70C632F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:05.907{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B305FB67768B80C0A65C9BC1FC1451E2,SHA256=D77FEF1BC25802976C26A2BB5A6739BA6C2EEE88404A6F19FC591AB218FB2A84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.749{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.015{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.011{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:06.939{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1BF4051D6198C64BA910F854C47D64,SHA256=3F9D45E2A43335FBFC6644B54254F1A368EE3BA6630A7A72A36BC34E85CE17B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:06.176{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE056692DAD2E425FFCD98B74B7C500,SHA256=6AEC805BB4D495E376FE06686BF36D14A95DC77399C68EA0639CA27B29137E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.790{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.788{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.786{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.783{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 22542200x8000000000000000192106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.269{E8723972-5A49-6356-0405-000000008902}5716www.google.com02607:f8b0:4009:818::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.268{E8723972-5A49-6356-0405-000000008902}5716www.google.com0142.250.191.164;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.267{E8723972-5A49-6356-0405-000000008902}5716www.google.com0::ffff:142.250.191.164;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.405{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.396{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.388{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000192100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.264{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55894-false142.250.191.164ord38s30-in-f4.1e100.net443https 354300x8000000000000000192099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.264{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59258- 354300x8000000000000000192098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.263{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53051- 354300x8000000000000000192097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.260{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55893- 10341000x8000000000000000192096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.382{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.377{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.352{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.347{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.335{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.330{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.323{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.313{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.305{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.294{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.275{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.268{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.227{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.974{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.953{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.923{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.915{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+43b02c6|C:\Program Files\Mozilla Firefox\xul.dll+2465108|C:\Program Files\Mozilla Firefox\xul.dll+9acb0e|C:\Program Files\Mozilla Firefox\xul.dll+965151|C:\Program Files\Mozilla Firefox\xul.dll+17f0c8|C:\Program Files\Mozilla Firefox\xul.dll+9b04e5|C:\Program Files\Mozilla Firefox\xul.dll+453a186|C:\Program Files\Mozilla Firefox\xul.dll+9712ea|C:\Program Files\Mozilla Firefox\xul.dll+974391|C:\Program Files\Mozilla Firefox\xul.dll+972ffb|C:\Program Files\Mozilla Firefox\xul.dll+972225|C:\Program Files\Mozilla Firefox\xul.dll+97d711|C:\Program Files\Mozilla Firefox\xul.dll+8afee2|C:\Program Files\Mozilla Firefox\xul.dll+82dd1f|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4 23542300x8000000000000000192113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.816{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\formhistory.sqlite-journalMD5=003AA3EAA40F825C33C92B033F1A28D3,SHA256=D6F4D1B1D7EC775A8C6D5D0723FAF2CBD71892777B630695B110117D7C9A09E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.968{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60493-false10.0.1.12-8000- 23542300x8000000000000000192111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.040{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5961FF3FC64C3F9D322E211D2AF7283C,SHA256=53BAA4458C78889375D24F8F3A22DCB232EC00E1D96EF1B295E42A83686C72B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:08.028{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9D30809F676808FEBE5367D91777FE,SHA256=20C586B6F8575AC103B560D38C9759B4849ABFECBB0FE1E1B3E50A45F6FBF30B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.986{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.5594171981024703238C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.5594171981024703238C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.283.153585524C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.970{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:08.970{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.930{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.930{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.925{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.283.1535855244\1838015248" -childID 280 -isForBrowser -prefsHandle 10504 -prefMapHandle 11496 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975cb97c-96ed-4efe-950b-51d840b8a058} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 7440 1ddbc716e58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000192150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000192124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:08.918{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.283.153585524C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000192123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.697{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54893- 354300x8000000000000000192122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.695{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51037- 10341000x8000000000000000192121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.809{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.807{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.802{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000192118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.053{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B61075FD1719A9624269AE383825248,SHA256=C1B5EC392A7D95E953FE350CE7DAB226EE2D1A5B30774804E0B53FF5432AAD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:09.122{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D262B9738B386380B6794939FF2C36DA,SHA256=E4E998D0320973EC017F0C282F171BCB55344BBED06BA050B128051D72135968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.929{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B75FBD65E9783FE166A51BF9EFB544,SHA256=734E65744AA494E6539296413C10E3F0C10F333C2115A2FC012404C2D7538CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.786{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60495-false142.251.32.10ord38s33-in-f10.1e100.net443https 354300x8000000000000000192235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.768{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52443- 354300x8000000000000000192234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.743{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60833-false172.217.2.34atl14s78-in-f2.1e100.net443https 354300x8000000000000000192233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.742{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55011- 22542200x8000000000000000192232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.834{E8723972-5A49-6356-0405-000000008902}5716iad.edge2.salesforce.com013.110.24.11;13.110.24.13;13.110.24.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.833{E8723972-5A49-6356-0405-000000008902}5716portal.microfocus.com0type: 5 portal.microfocus.com.00D1t000000vhDPEAY.live.siteforce.com;type: 5 n.edge2.salesforce.com;type: 5 virginia.edge2.salesforce.com;type: 5 iad.edge2.salesforce.com;::ffff:13.110.24.10;::ffff:13.110.24.11;::ffff:13.110.24.13;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000192230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.639{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FE1A63999B8790CBB3CB68D12882C6,SHA256=4CE1522405A3D7523CD19DB5803A49A744A7EA6E96A4871E73CAF163199944B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.600{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.600{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.600{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.508{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.501{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.500{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.497{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.495{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.493{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.490{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.484{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.484{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.482{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.481{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.478{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.464{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.464{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.463{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.462{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.461{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.458{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.455{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.453{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.450{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.448{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.440{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.414{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000192195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.163{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60830- 354300x8000000000000000192194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.851{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54510- 10341000x8000000000000000192193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.401{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.400{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.399{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.387{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.350{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.343{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.335{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.331{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.329{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.327{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.324{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.322{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.321{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.314{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000192176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.840{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60494-false13.110.24.10sledge2-iad.slb.sfdcsvc.net443https 354300x8000000000000000192175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.829{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55506- 23542300x8000000000000000192174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8668A114D859FCE1584298A75EE96D6,SHA256=460FC6666BBF90BE79DC12B3DCFE9658EAEE557CC6B88F957563210649940833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F104450969FA1D14E58956741D7893B4,SHA256=58CF583530D75CF5268C890007BDBAFE7690C4894DEA607D9E9265FA88838822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.022{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.022{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.010{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.010{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:09.002{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-279C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:09.002{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-279C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000099010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:06.877{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:10.207{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865062055476C82FBDECF80FB90BD049,SHA256=409BD577461B8116E27A9FCFB8F2D34BEB2B13EB88F66B9A2E0E2F68BB37A2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.880{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.872{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+43b02c6|C:\Program Files\Mozilla Firefox\xul.dll+2465108|C:\Program Files\Mozilla Firefox\xul.dll+9acb0e|C:\Program Files\Mozilla Firefox\xul.dll+965151|C:\Program Files\Mozilla Firefox\xul.dll+17f0c8|C:\Program Files\Mozilla Firefox\xul.dll+9b04e5|C:\Program Files\Mozilla Firefox\xul.dll+9712ea|C:\Program Files\Mozilla Firefox\xul.dll+974391|C:\Program Files\Mozilla Firefox\xul.dll+972ffb|C:\Program Files\Mozilla Firefox\xul.dll+972225|C:\Program Files\Mozilla Firefox\xul.dll+97d711|C:\Program Files\Mozilla Firefox\xul.dll+8afee2|C:\Program Files\Mozilla Firefox\xul.dll+82dd1f|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad 23542300x8000000000000000192240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.528{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\permissions.sqlite-journalMD5=CF467F679F99AC28E36EE844438DA035,SHA256=44BAAAF03357199B1F412A22A090737B59EE38FFE40BDDEF9B1A3AC29A3318B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.820{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54131- 23542300x8000000000000000192238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.145{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124BFBD223CC7414A9D9CCC563208A78,SHA256=0C5365F0FC523328A97F470806975BAFF9A2797638752F5EAC7C7DBF0894B649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:11.303{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E6CA54FF694A57537BC3AC1C1F05B,SHA256=60AD67D83ADC31DA89C6208B938335D26750E53D33E3BB223104F41D21D60F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.963{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.963{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.951{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.951{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.944{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-280C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:11.944{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-280C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.927{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.11327264078723547024C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.11327264078723547024C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.284.79720461C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.919{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.919{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000192290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.801{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52616- 10341000x8000000000000000192289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.891{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.887{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.884{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.284.797204616\1428898433" -childID 281 -isForBrowser -prefsHandle 6868 -prefMapHandle 5888 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e5c074-c88a-4005-98c2-dc771509129c} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 9580 1ddc52fdb58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000192280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000192254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:11.875{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.284.79720461C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.540{E8723972-5A49-6356-0405-000000008902}5716e13636.dscb.akamaiedge.net02600:1408:c400:790::3544;2600:1408:c400:789::3544;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000192252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.538{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60497-false23.61.192.183a23-61-192-183.deploy.static.akamaitechnologies.com443https 354300x8000000000000000192251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.516{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local62304- 354300x8000000000000000192250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.515{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53880- 354300x8000000000000000192249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.515{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59412- 354300x8000000000000000192248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.491{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52243- 354300x8000000000000000192247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.487{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local58034- 354300x8000000000000000192246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.487{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59412- 354300x8000000000000000192245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.000{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60496-false10.0.1.12-8000- 23542300x8000000000000000192244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.159{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7AABDDD6602041E9548158B359E082,SHA256=09FB8E21783074DC76E65F90014B750AAB8C21F0144FB6CDCD7171AAC7DB68F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.131{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:12.397{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D598928F835C23BE62FF7BE3602B3C5B,SHA256=86D2E0F7B21B87A30601B72D8D1618479629F38B30836594580F4D8AB922E26A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000192317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.808{E8723972-5A49-6356-0405-000000008902}5716part-0012.t-0009.fbs1-t-msedge.net02620:1ec:40::40;2620:1ec:49::40;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000192316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.807{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\25820MD5=904415D33127620F465EBF3E0AFF1483,SHA256=DF4200E04E7BF64DBC2FACC24BB0CB28F0647075494CC93A5A17ECDD2A53BDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.807{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\29105MD5=F9607DAC2887A0E56855B114523A5123,SHA256=14890FA159F6356EDE94ED27D13155CAA41D32E90DCB9079C2B9364D3D6E4219,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000192308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.243{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FDF90D8E1726574ABB780C320D12F0,SHA256=DCFC2EC406FA2D5EDD419ADE382FA6936FA4E7E818685D1597AC268E2B0B61D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.241{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E69B88490D3A5B548C8CE870D613525,SHA256=5F2F8ACE6F3E0FC9091F87E0B90E5996353651FF7D34DFDE4A8217C4D0F2318D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.819{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60499-false13.107.219.40-443https 354300x8000000000000000192305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.815{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60498-false13.107.219.40-443https 23542300x8000000000000000192304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.049{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\permissions.sqlite-journalMD5=B29B6FD2B5CFB50398113D64D30DA1A3,SHA256=1A927D7AA07BC29CE80E82AC27536D88CA5D708B61EC06C5A1EDC5D9B6B0CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:13.491{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B18B6EFADFF14FA45B0D459035A179F,SHA256=E4573B3E5DCC76C0F0B16E61B75F525D3A9D4D3B20AA70379B6AB2ADAE72C698,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000192327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.122{E8723972-5A49-6356-0405-000000008902}5716onedscolprdeus11.eastus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.109{E8723972-5A49-6356-0405-000000008902}5716onedscolprdeus11.eastus.cloudapp.azure.com020.42.65.89;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000192325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.698{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B7EF6653D7843F89B1F156579040134C,SHA256=957FF89529B5AA92438898D066678FF1555740FEA6183673037BDA51A566BFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.689{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++www.google.com\ls\usageMD5=9D0AE2C65DC5C2ED567F3650E8CB51ED,SHA256=1B4B1589498A309295FFD238FBBBE60A2108DF3E090D6DDAE94CFAB704C8AAE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.117{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60501-false20.42.65.89-443https 354300x8000000000000000192322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.104{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local56690- 354300x8000000000000000192321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.102{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local61887- 354300x8000000000000000192320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.215{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60500-false20.110.81.91-443https 354300x8000000000000000192319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.198{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51561- 23542300x8000000000000000192318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.264{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974FC76A91170612F74B0B227C5F40F,SHA256=BE4362DB24C88601ED6B14164768BA7C0F0D3BDEEF91938042F61620589E51AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:14.578{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021D6CC2B07CA5B4BE1DABF99B2DAF40,SHA256=DC74A3F3D59AEB2599E28246E508F4CC7558F7E48486A5467EB9A667C523DF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.108{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52892- 23542300x8000000000000000192328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:14.287{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5245EDF4765CC5C3AB0F8A2BF0E5136A,SHA256=DBA48F988C3851245EC1ED35812E7B9CE5BBFC6D5A2ACAFE8ADC7AEDE0CE5D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:15.673{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEF22CD0104F3F09316F3008B2E903D,SHA256=7A86937DAE875BA56D8F15C0910F88D3AC1DFFBF79D01F436DEAC275D0F50309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:15.311{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075C07FF64687D549CFD0426282265EC,SHA256=E9AC5372B35C1BBF80E4EBB3024A85CF0069C0D05734DC3CEA9CDF78898921E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:16.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E58925BBAA647F512E3A89327C442F,SHA256=8A3BBA4A4A58896102CBE9ED2A821A11CD6CE7A976A4DCF6B3C601EE5B6522E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:15.015{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60502-false10.0.1.12-8000- 354300x8000000000000000192333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:14.356{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59142- 354300x8000000000000000192332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:14.341{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53869- 23542300x8000000000000000192331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:16.345{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECFCB2546B4FA15DCB0CDC90DEADE00,SHA256=1D9DB6CF38B2FCD5BCEB2E779BB0A1F3BB4094A6B9CD59D6DCCB3DE5A4175A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:12.879{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:17.899{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:17.883{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B4AF7B8DDAA074E04EFD11FDB81F38,SHA256=909D00079CE69335D1EB5642ECEE539F08D1611B8276036E2B00850CAF3312A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:17.353{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFD1CC245EE22827860892EF4C833AB,SHA256=57543EBE9BCDA763DC9AA2F86ACCED8679F211EEC40BBA3B8660293C77A85680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:18.973{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186EE8C8E7C34CFAA314F3F8BB730A16,SHA256=7BA0F07C366CFBF14A1D3B287C464083A2F0D876B4DF1D8A0FFEB6E691352C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:18.379{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED254DB50AA8310BDA5420FD6F48273,SHA256=AA1C58681949C2EEE5542CBBA87B7B2A28DFE739C9061118476DACD7E23AD088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:19.404{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA07629D37091027C2D26D869C268B50,SHA256=4A4F50505317C3F82630E463E5F8B2558B470C9EA4FE443E1BABA1B2FCE755E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:16.576{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000192338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:20.441{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A95D95255514C37270100E70036B23,SHA256=0CD96C571BA5A4431A197651D110A92266DCA8986C7C421CC54898C182AA2BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:20.067{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A4C66BFCC5EC714B18E381A13F35E,SHA256=7A02426E228A3625B602F1104D782354740FDE0DA32EFC73A45AB2F989D34514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:21.452{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A331CB2A27461699187EB953DC6786,SHA256=3293A3451FBF5A9BDA3689150B4D3C2F701527554A49B921B954A80657898991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:18.744{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:21.153{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CFD44EF61A513F858E00C6863873BD,SHA256=9FC45D918815A5C8BADE2B7F7CB10159581E94140C144DEE12F7DDCFE4040588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:22.259{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE74B0696D0B043E09B6627E4CB39F6,SHA256=D7FC20C118A58E79677896ABAA3CD6D66A14F9C67BE60ACD5DC1C8BA3A57C928,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:20.946{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60503-false10.0.1.12-8000- 23542300x8000000000000000192341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:22.481{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2C27FABEEFE526D640DE1708611F72,SHA256=9B02995C7ED20DA1A2F735704977CC8C3D069FFADACE560DE1D0D432455C9261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:22.355{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-341MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.942{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-331MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.621{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.618{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.614{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.609{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.601{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.599{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.594{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.576{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.572{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.567{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.565{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.554{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.544{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.523{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.520{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.503{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.470{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.464{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.458{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.446{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.436{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.426{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.417{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.407{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.398{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.384{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.379{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000099026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.346{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5BDC47E7BB0BF7FF1A51EE993EFEBF,SHA256=A6348BD1ABB92000D8861936DB561124759E4874E8C4AD1F9244C9AD35C586BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:23.605{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0E34D12162020185BEAB17FF72A295,SHA256=6E978731DFF0C5EF965721545CE37482870E68A3DBF14FFBC82CBC68B3997961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:23.357{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-342MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:24.950{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-332MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:24.870{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB8059136937E3392DA47F942D79406,SHA256=BAB244734007ECC710DA636725DAF99955A13DD1C7C36B0FA55A37BA34E7E098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:24.632{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73CD4C5A4FDF6CC11AA33882DE4E3EA,SHA256=FD985088BC1E113E1A70843A3F2BE39159C7012243BEE289BF48D06288E63786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:25.955{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9423F6BEFA7258BF85E87967A7EB931,SHA256=435E01146BB113317B9E2A08939EADE4ACF2993F1C03596443CBB5752676D5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:25.646{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6714F186DAD64AA3344972F4E44703,SHA256=4FACBB9E7230CE86A530B386186202F1687B9CA32FACE3936419C383DD24EF8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.770{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.769{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.767{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.764{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000192384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.735{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C0C5E0EA0C2B47E8A3748001EB76BA,SHA256=2FC31A7A0A23D5DCA3DE98B3083D6C0D2801EF71B892BA1388A924B61E361D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.710{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.704{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.703{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.934{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000192375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.403{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.394{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.389{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.384{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.381{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.379{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.377{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.355{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.351{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.338{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.334{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.326{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.318{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.311{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.301{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.295{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.282{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.274{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.233{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.231{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.197{E8723972-A88A-6356-FD0F-000000008902}67767760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.029{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.790{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485FFEBA60A67967F4CF4F61D50A74B5,SHA256=A8940D1A977BE0ECB1B618A0E59B6AA7F6AA9D968DA6061DD19A3295502AA790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:27.048{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B877930BB23769BED36C46900D0D7228,SHA256=313EEF4D7FC34FAA834A4CC0267862B3121DD893D573082C4AE671BAC2C63BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.261{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.181{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\aborted-session-pingMD5=4DFF9B5C59A83EE9B0BF5D0C07E38660,SHA256=7AFF04725FFBACB4B8E254FD78DDFF9905C1AB3E60CC26B97AB7B7C3A07BEC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.139{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD588D0F905DF48ACAA2B00282A3C55A,SHA256=72E5D5810DAE08CD9A6CD1C111B541F4103C5A546B235E3A3D8E2BC988115ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.814{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C678D8DD4C9004F64B31E40FD8DEF,SHA256=E7BF6FD09B2C15A1732D02FD7030E1DC165CBA80F34DC2A1CCF9400A73B77E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:28.136{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E28B19A708CAAE43140A646335DFDDB,SHA256=DB14BEB2FAA872A024F7A06B10F96B8B50760AE4037CF8997301CCD8B24582E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.784{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.783{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.778{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.729{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.729{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.728{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.715{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000192401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.031{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60504-false10.0.1.12-8000- 23542300x8000000000000000192400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.213{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=43764816D5C880BF6E8EBC62377457AE,SHA256=6CD6AF3F741D82D5570BD108A334CADB04DA41FC0B9987B86F7D88C69D8EB8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:29.225{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259CD133B3CB2E9FAB90D97165368D30,SHA256=02593F10F7DDE0FE4CFABF7D2B23885A181652DA12B907B3621E271AFFBC436E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.838{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0F4698362B26C7BD3D2D415487A08924,SHA256=B0B980AA3E9232AEC43D595405B6AF67EF3D1A7E83FBDA3664F05937ACFCFA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.525{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.523{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.521{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.514{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.513{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.510{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.508{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.505{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.501{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.497{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.496{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.494{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.493{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.489{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.474{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.473{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.473{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.472{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.470{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.469{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.467{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.463{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.460{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.457{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.455{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.444{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.442{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.415{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.411{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.400{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.399{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.398{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.378{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.368{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.333{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.327{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.316{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.310{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.309{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.305{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.302{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.298{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.297{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.294{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.293{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.290{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:30.309{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D41C51DE4098140FA81588C1B4AF12,SHA256=4908D141283F04A979A4A48E5F1A7FBA23E7A86FDA71A14939CC0091181446F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.783{E8723972-A88E-6356-0010-000000008902}69647876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.604{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.601{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.364{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2A6EE26FEC5910E4C8ACBDBF94BEE1,SHA256=52E2A070C9E3C88E4F365FDCC61BB56861B8652FF387C556FACE696AA26B4BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:31.392{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D9A164A9EB6D335B460B0A50D2BC03,SHA256=350AB5295017BD693592A8AD6633D6FA71A56D7ECE7BFB1E7C29924219BC2C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.932{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.929{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000192489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.896{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.896{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.896{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.452{E8723972-A88F-6356-0110-000000008902}73769188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.383{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC376EA368623606B66F48E9C4AC3C9E,SHA256=935447C37273BF0AB492B696AB40936B8616E98EDF5BA2849D73BC9E0ABBDB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.275{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.272{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.962{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DACCC2C16AD642E2416BDD4C05E8E1C5,SHA256=ED06D5A5D8E44A3F606C316938976FF1D41C9670FD0ED9819D89BA0A554ACC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.686{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.624{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691B4A1F0DBF43C75FFE7EBB0C378D55,SHA256=CA5CCC8FE4F3BF8C759DA4D397552251AD464177F453001C40D934ED8729A671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:29.704{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:32.687{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F31FA1444086ED2DEBD7D160E1A8132B,SHA256=F954934F204AD7DDC4A82ABEE62F988A34698380CBC8A6D9FA9628BE5D454C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:32.484{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C92A9F71B5AA3F89C0D5EF7FD41C319,SHA256=03499996CC8111390475BA01A205E9CDBE0FFD9FBCDCC3BCEEE9FFA788F66772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.121{E8723972-A88F-6356-0210-000000008902}58324788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:33.652{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0DD2C039C3B0E9E2A06817C0288FFB,SHA256=7F50DA1A84E4B029781E6CAAB3EA29A2BE9C2C9A981519B278043C564B03F705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:33.567{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D88CA700427F90CED569C13C5858234,SHA256=4AC8AF47F0B2212158A7E9403DFE04D5EB7D4AA4C4CFB72FFB26D6A0BD4FC78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:34.682{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F472072EB836EA3FA2DEBF195C1E7DFB,SHA256=457ECAD2E30BFAE5316C602E863BDDBF4D2C14C8806D2FC0A08984E7590A9786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:34.691{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B050C5DD6C15AC194B903F9DFD5A94D8,SHA256=8E90803E6E7D7673E2B34BCEAE76F332CCCFC8BF10B802837E708A1A4723C28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:33.160{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54866- 354300x8000000000000000192512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:33.145{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51078- 354300x8000000000000000192511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60505-false10.0.1.12-8000- 23542300x8000000000000000192510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:34.117{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=CC33E5F71499F251547FC481E7BC75C7,SHA256=5A79343B1BA9F0D68E5A175976E0D9607D3BBF70054711551C02958C92D6018E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:35.793{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54F22276FDB9181F992F78926B0C3FA,SHA256=9055D83D410EAA7812CF6DF06AC21B74B522FF096AF17A7B654336B1A62F20A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.869{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDC0A0EC89033F0887EF46F5617AC4B1,SHA256=333E92C6F61B323F35B0E5CC5C57585BEB8F593C8B3EAA1B66EE2793A172F8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.816{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAA1F5FE4461EDB55F295D7AAE43704,SHA256=F8914B1531BA9842CEBA389CC1879481A408995DB259E3701236189178AF1C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:36.872{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300BB66BF5FE4CEAC1946871CB899645,SHA256=E80C1C3D6454EC0FD196F96D8F50AC712C99B0C79388B155FF9A3E39073A5B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:36.847{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4193CF72ED95803795FF37F02F91E811,SHA256=4037C78EE084A1333C4ED74E3336B2FF61E9F87EAFB9DFEC0AD67DA3E778BBE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:36.100{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:36.100{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:37.957{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27571BFFEED6DC3E03F004FA0D5A2B2,SHA256=07D688DC52667E70A2C097C563F782C76F6908D6DE212B3BCBE53C1B6D55CEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:37.961{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87FDE481A41DB25AA5801D990E8DE3E,SHA256=9DC7AEA754C5CA2A56812FAF5278AAF4B8CB64BE8ADB4BE495717D5AA3C81177,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:34.908{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000192521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.989{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60506-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000192520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.989{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60506-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 23542300x8000000000000000192524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:38.971{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE2B2790BC56A81BC7EFF02197016F0,SHA256=563AE578DC2D9B79C393F7506B78CB2E07B93E7662C64F1F6C5E208C71B530BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:37.055{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60507-false10.0.1.12-8000- 23542300x800000000000000099075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:39.047{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8588FE6F5C0314CA19F75A8B8FFF2F,SHA256=6033423AE004F76B66C75CD658D3EB27A975242758AA327876382CEB5D58F623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:40.133{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B774E6326C9D174E273986C1018125,SHA256=8E65A62E2DEF5539790A4576ADF4E4899B93C009C0E2203C5C6B2D50E42A1415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:40.000{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2420BFD822A1D9A5DC0B81E525153F21,SHA256=338E33E236A3418F7390A4CAADDC81FE63C340033AE2F50C15FF4B29DA4A89F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:41.150{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113C39377E96C6009C3C11E081CD5129,SHA256=58D335EADDC180D8DB31FC76C1B27B539BED9C8050CCD39EB3A4315DDC76323E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:41.218{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD764CDF4F4F1DEF7058465FD4E4C5,SHA256=E34517270AFCC7275E0662103FB3BBFB37AA3D54034F5C6C8BED027ADDE91459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:41.117{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150034MD5=92F2833C130F4B5C2AF42F35FB6DA7A9,SHA256=3C62AB39ECC95E7E0D834F9D468AB7836C508BFED4EFEB0B44B3A90385F2E430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:42.304{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085CC151B3CB36B536C2FF16ED6146A6,SHA256=432FACB7D0E4A520ADD0737EDA7535AC87C86A4C77261EC554FDCD6AFE7384AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:42.954{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A8BCEBA01E139A9EA7E35D340AD51E12,SHA256=EA571C06EEEBA581AA8B918A0A877C6E28C3E9B9AB50925FF47AB61FF56FC997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:42.217{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DBEB4B82DEDC808F494B71CDC50544,SHA256=15B0CF0A8621E1F5418B43921413DD5B5E0400C214C31A24979B896507266932,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:40.755{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.569{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.567{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.558{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.555{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.554{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.549{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.548{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.544{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.543{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.537{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.535{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.532{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.530{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.517{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.507{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.487{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.485{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.476{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.441{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.431{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.424{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.415{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.406{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.400{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 23542300x800000000000000099084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.390{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F203995E18D0C709D37ED47D12AE78C0,SHA256=FA63271A74F6FED5C6D56BF6EB2DEB4E819C083B203D59DAFE9D5A8719EFDEA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.387{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.379{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.371{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.360{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.357{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 23542300x8000000000000000192533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.904{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150034MD5=595735E7A32CB5D017FECB8F97CC3D29,SHA256=9B0D3F72F1C59776F01C2511C645A0DA1B098FC0E9CE863AEB03FCFD678C2354,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000192532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.904{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000192531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.904{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=F4B60F8A782F6CB108FF4B6E1FCE2DBE,SHA256=7010E45D17D07C14C700117F13A93C41F272E10287141E87F4357A189FF0F894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.318{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47AC1AA25D3B1290D9925F3003963DA,SHA256=E0474A180CB1481C261648B7266E7338CF6004E7B57DEA0BA0F29AC86F4FA242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:42.991{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60508-false10.0.1.12-8000- 23542300x8000000000000000192534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:44.453{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFDFB47243BCBA1830A2892C479C7AB,SHA256=F3B32818BC94AD019659B4B86675A5774F674D882014F6C2BAC16CB4B20A7131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:44.518{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5616DD449FB19E9194A4568531A45F35,SHA256=7270BD73F95C5BDCB69090DB99268535A468185285B854F579FAF335A5597E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.535{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8898DD5708C5ED07AEC077B51924EB3E,SHA256=66C1E14E46CE36046E76CEC08090DBC8C10CA6A08E6FE8A388F9CB1CDC581BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:45.579{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51DF1B16331A9D3019EF8994C7DDB53,SHA256=A0E02470AEB42D2B62DA80653DD969CF8E9F3D5BE33BA1253369AACF01DC4306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.861{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2025831842BF930D464DCC0299415E6,SHA256=D5E6D2B8E40888DE2546BD168791951FB91E84BD14A864761314913E21C2F892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.756{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.754{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.753{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.750{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:46.655{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD5969F81C922B058C9E89F0380EB87,SHA256=9F50B563C4C805144F2EB597C197D7A08577D56305ABBDCE85F51C586C2B1E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.398{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.387{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.383{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.377{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.374{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.373{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.371{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.347{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.341{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.330{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.325{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.319{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.310{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.303{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.293{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.285{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.276{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.270{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.237{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.234{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000192544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.204{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.907{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9D0D7B2B74A98961A209D8F02FA908,SHA256=3CB0CD620AE35B94412A09AC73C21CE8BDFF7A02098D7A3D1598A5CB58CE3DD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.877{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.877{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.877{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.876{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.876{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.876{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x800000000000000099113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:47.755{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0436B12C18AC9CB2C75F8D79FC74492,SHA256=9EB3499D356CD6DC854E1E258A65B1435A145C7279BF61E109F3CE63B5ED1AC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.092{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60509-false10.0.1.12-8089- 10341000x8000000000000000192602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.021{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.021{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.021{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-A4E8-6356-590F-000000008902}101129244C:\Windows\system32\cmd.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.018{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000192570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:45.792{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:48.837{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441AA8271B163B5213478882FFC3C45A,SHA256=A2E564A9A5732FCF32506A294484BEE8FF8D8CE3D4355C9E227854176C51FBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.926{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CE2D098AA65BDC979C54963A9097F,SHA256=3813ADCAEA2B5B977A3635499D1DD8E945618278935F6AD683EC003FB07F68E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.798{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.796{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.790{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000192611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A88CD1B2530CBC81FE684FD9D6329AFD,SHA256=422ECEF3715AE13D0DACA4EF19366921884C45C789C8DCA398631EAC0F9862BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:49.921{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCBD05FD38A3EFC140CAC4A7C458FAC,SHA256=30F9FF7E1869ADC481C8BCFB3CEB8FF6794C9E7B6307BE05E816DC6BEADAD586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.984{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693F9C80F2F6336200159B9759DCE53F,SHA256=F2B64E7CD42A2BA7BF0038ACB41B91EEB68D32E64B0CC18E7A0EC62644BB771C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.768{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB9B607EBC84CDB5E15C126FD42799A,SHA256=E1A0D2134CE10374EF4A3082A53A566C6879DE5B5AAD5B2C0FD1AB5291C497F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.653{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.652{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.652{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.646{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.645{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.645{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.645{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.558{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.551{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.549{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.542{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.539{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.536{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.532{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.527{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.522{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.519{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.518{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.517{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.515{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.512{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.491{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.490{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.489{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.488{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.487{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.486{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.484{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.480{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.477{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.475{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.472{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.464{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.462{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.432{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.424{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.408{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.407{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.407{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.393{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.383{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.343{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.337{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.328{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.323{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.322{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.319{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.317{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.314{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.313{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.310{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.309{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.307{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000192678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.978{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60510-false10.0.1.12-8000- 10341000x8000000000000000192677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:51.009{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3B092559463B101652690DF80D600B,SHA256=B5903E240EA5D9C856F2D1C32E9B3F4C97D94438A298C8A18DADCD92B9A757CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:51.088{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0483654A5FD334DAB2E956D4C223856A,SHA256=0EE9AC5B9EC2616F55C362EEE715934C8189AB096FDB5AA115B20B03DD79E9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:52.090{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8F88474F5E70BAF1D2C56B7A8778C1,SHA256=71845F1E1E19E423CCC6D62BE023AEE13C0963CD8DF018E9BE08953100CCF2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:52.127{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34440D90BEB2AB7D120DE524F7EA1BC,SHA256=D6F22BF4023995ABA63516F5F2B7E7E9D4293612C84512974CDA536479830E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:53.187{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EE47468394F2832D22429C0E25FF54,SHA256=F5D888BE367F285259620F197F9C6ED23FA407006702B0F13D5CBA8CFF46EDD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.144{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231BDFF802CC198450420667064C24AF,SHA256=F7FFABB5164DCA3F6D770815EB3CAE18252B0C47747AB4A0843FAF6168314744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:54.274{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735FB468415CC1A3F6998909937940F4,SHA256=0928A0E248E96F84E08FA99AF3A7986548171665FFE38B0354D4C294B4F3370D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:54.264{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8BB1CF79ED7C30742B7083552B4269,SHA256=0741A5F15C4537D36827F3E4451E7A43E69B88501773D6B6846E51DC9958AD50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:50.910{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:55.359{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DE6CDADFF62F5272CEDE83AE737366,SHA256=5A2D6668FD51795667157F752134D951B7A0962C8B042CC4A7B0E6503A47A71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:55.414{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C42E3F832114F184321597DDDC8E062,SHA256=A1164D29DAAB6CD0F39C58736A4B01942E87609F451FCBAA220F05BCF11600E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:56.444{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A671005D97E935B271E80A3A3A3ADE2,SHA256=31AFA6157D8462F408EC8DA57DEE1F42BBD2757BBDFBF9A3668FF0A43076761F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:56.546{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849136A19893F14DFF1F312FC4980376,SHA256=A2A3D0135D26229CFA9C29FCC318B35E54EBA5C356651F7C2137243D1519418B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:54.964{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60511-false10.0.1.12-8000- 23542300x8000000000000000192691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.651{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CDB77C8CF9ABEF50AFB6BCB6793651,SHA256=42429C962529121BC6D0926BCD38EAB888DE8D5C3F712898F390F9BF4EE8F26F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.923{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.642{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326DD304C11521DCE530CD3665FBF68,SHA256=34B2FBA5547D260E5186FEF3199C314260E5EBC287CC75BF1F153602CFA8D465,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.394{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.667{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F31AB48B92419135ECD60855A4E3074,SHA256=381767DB3F48B3CA0A9D7F10AF7374054032D79C50EF2898DF10FE190629E3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.741{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDB404052B265B84B830D55428E814D,SHA256=6174A43705E4B105A55E49E6BF3593B619AF169C81E60EA4D938578C767E8EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.470{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.470{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.470{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.584{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=08B44853B928CD1E43B10DAD73BEC595,SHA256=E3745E314B98D9011FC897A97C54F27ABEAADCF4A6CBD440E6E85FF6C93DF54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.429{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.259{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=04F2AC2EFB95A9883A23A2732A1D33ED,SHA256=9A74457573E831881F88A12E1C1B3E11A599D68238E9DA33D042302D9E3D795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.832{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7694A6EC5E43303FC963DF05F85D1A,SHA256=B2F41B523E6C8402711B739F952772EB75FBADA5F30A217D87ED7DF0FD38D2E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.857{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60512-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.857{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60512-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000192703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:59.930{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=050DDC6211AF10B2CD938FA6ADB5DD90,SHA256=D2AD5B04B649E8AD83B37569933EF17737ACD9EFC60EE5C27DAB16C8BEE86431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:59.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF721BFAA9A515502647B0BCF314AA1,SHA256=9AE98D2F454E227DFDF5CFBEDE3303584DAD1B09E4EE4CF0DE84A2A156AF8F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:59.036{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F23D9AC8B4A32197F3C180779C0EA2F1,SHA256=E54CE67724761AC5742B59A9D1095EAF6F8A81F4DD7CC711616270CC90F65F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.302{3A30D728-A8AB-6356-430A-000000008A02}32643544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:56.757{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl54990-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 10341000x800000000000000099167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.101{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.038{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65C1FB5C4D2C797D460D81F1C9D0E2EA,SHA256=CFB32F0D7BF0E64510ECF465F16C57AC40B7A9625AFA8FDDEA04D4F063EEBD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.924{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA9046A355B537B3CBC86C0ECAB60AB,SHA256=ACEBF124D38749C10C4EFD12D7CE6787E215BCE6CE8493640B4EE887AE03C684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:00.865{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19B940EE58D4942421A1A032F7F5EA0,SHA256=13685BA4C280F7795EA3BDA0577801D0F0BC817614BC728F4F85F2B51FF1B096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.454{3A30D728-A8AC-6356-440A-000000008A02}28884016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:56.913{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.249{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.249{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.114{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.935{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:01.965{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C544381EBB7931962CFA361703DB1F,SHA256=5B3131EB035A0C3559870467CD447F839A094F2323EE2011895CB71DB558D036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.512{3A30D728-A8AD-6356-450A-000000008A02}26442700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.363{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.363{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.363{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.362{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.362{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.362{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.864{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D42B3AA3E92B11A7C748697A65A658C,SHA256=7735A859714DD7C084390D69084A7D21BDF6C905683FEC6C81108DF946D80AE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.168{3A30D728-A8AD-6356-460A-000000008A02}1784940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.012{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB21BB357C6623D98136376E781F127,SHA256=819534062D9AC4DB0E7330F2DC016F7C37EB970D9A9E975BB6A967AC0B917291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:02.132{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=4AC7966D70AC2E906A01EB6D6926CE52,SHA256=93FA5C4B234401A0C2ABF219A9C7CA1C67F3475495992E5861BFB5050E1635D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.725{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.721{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.718{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.714{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.711{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.706{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.705{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.701{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.700{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.695{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.692{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.687{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.685{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.671{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.655{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.630{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.625{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.608{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.530{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.518{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.500{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.478{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.451{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.424{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.399{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.394{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.386{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.380{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.377{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x800000000000000099229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.004{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF520AFA4FE2F47D7525CDC32DD5D28D,SHA256=C2A7577C8D0F2A45C2ADF6FEC3DAACCB715AA2B4A81AA780E21688A39ABC60CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:00.982{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60513-false10.0.1.12-8000- 10341000x8000000000000000192753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.670{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.670{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.647{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.647{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.615{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.615{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.600{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.600{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.547{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.547{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000192733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C48B2540EDFA2FBBA1AD74ED9F4B68,SHA256=4A426C5B0F51570BB5BCB561FD770E7D64E751EE7F3DCA2E84F4FADE0B871CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:04.271{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6923E3FF0105E48362905E90425EE0A6,SHA256=C6176C8577D0FE5FB0BA1ABB18555573C47AD8D32CEE8551E3CB7221F618EFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.679{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0DFD991C0A0D5851E88C06E8F39B70,SHA256=3837CC6E09CC1F7EC3283395D2C2F95A162FF96D461BFC2D1F5BC858662235D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.267{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.267{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.267{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.266{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.266{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.266{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.240{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.240{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.238{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.236{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.236{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.236{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000192771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.191{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F75D90B706E0F7CE7D81C7285EA215,SHA256=6C87BF602CD9A2ABAD35B27AC185FD8DFE91913FBD971E2D8798F1C2BC8BCEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.189{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5162E47D4F2DFE53746174E8D39CCFF,SHA256=26CAB2158D018114ADED3DA0C3E0B2A616BB0435998E87B132376FB040C78563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.177{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.177{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.174{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.174{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.173{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.172{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.172{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.171{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.169{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.169{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.168{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.927{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.927{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.926{3A30D728-58B9-6356-0B00-000000008A02}6241360C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.715{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.432{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14330F020ECD35192C2990D9D9D2F00F,SHA256=289B49B6A422EAF0D426301A2EA96CD470D056850575AD55175A0745A91545DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.369{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23209E7310CB9CB5E9F5014048343A2,SHA256=700E32F1EFCE9586750892937F9916128C4C1E73299642543CFC1BD15340BA54,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000192795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000192794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014207a2) 13241300x8000000000000000192793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0x0ee84bdd) 13241300x8000000000000000192792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7b9-0x70acb3dd) 13241300x8000000000000000192791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c1-0xd2711bdd) 13241300x8000000000000000192790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000192789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014207a2) 13241300x8000000000000000192788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0x0ee84bdd) 13241300x8000000000000000192787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7b9-0x70acb3dd) 13241300x8000000000000000192786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c1-0xd2711bdd) 23542300x8000000000000000192785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:05.363{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E004A038667B359609F7786EF80F6D,SHA256=0E4BA3CCDA3CA14BD8A883D0FCD927ED5ADF2270053CD9559CC7F4BC301E88F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.014{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.008{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.007{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.007{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:06.447{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABBCD63ACB251EAA61C681B4CAA849C,SHA256=2CE7B9F7D13D847220EA7F2DECD632E22AAF1A8F90DBCCAD4880530F5FCDED1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.842{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.838{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.836{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.828{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000192816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.443{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A1084F5FA12C910DF90382F1FE2897,SHA256=7E8C1E70107EB4DDDC44880563DDA8D23678EC97BF6FFAD80265E4D931392422,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.415{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.404{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.396{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.388{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.384{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.382{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.379{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.353{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.346{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.332{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.324{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.316{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.308{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.298{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.287{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.280{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.271{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.263{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.224{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.220{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x800000000000000099282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:07.794{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDD6567AB4757DBDF717265990A2BD4A,SHA256=70110DEAC58702210AAE78333A9C38063D8CDBD26754A38574C7A453508F9A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:07.529{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3547493197D84A4C9220E342E0EF587E,SHA256=2C12E61913A7D8B9FE44751C27F0BAF3DD1CAC99AF4D0150042461342744360A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.066{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60514-false10.0.1.12-8000- 23542300x8000000000000000192821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:07.494{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CD60B47186DAC2C8A3F50609D1A4E9,SHA256=DCAA6BC73468062BD58540E63FEEC5D9784A2EF44C9FA4FF2F77AA18EEDA7E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:08.605{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0299503F7B686DEA155CACFDF68E5C1,SHA256=0CC8F0E71358120BE0BEF70F39EA17AC20EF573360D247A5C0346B52F204F71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.874{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.873{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.864{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000192823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.594{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92210FEF63FAFB69A7DFDF227FD40940,SHA256=CB7D8A041AB23F3347EC11E3CBC1238F95891DB19BA5AF25B0A5793AF0CE0711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:09.712{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC29D9556B833580779E74F694B7009F,SHA256=343C439BE7AC5C21B0BDF9EC5CB62CA40F669C9BF06AED60CB931637451F5265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.719{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AAA37B546A970A8BF840C86FC2A729,SHA256=050E669E49B127E5FFFC5327E95B3DAD8269EAFD1057C209F5C22761F4F67DBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.647{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.645{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.642{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.641{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.632{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.630{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.628{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.624{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.621{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.621{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.621{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.619{E8723972-5902-6356-8A01-000000008902}434810208C:\Windows\system32\sihost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.617{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.614{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.613{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.612{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.610{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.606{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.591{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.590{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.589{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.588{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.586{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.585{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.583{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.578{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.576{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.573{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.570{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.556{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.556{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.520{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.516{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.505{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.504{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.504{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.490{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.482{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.467{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.467{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.467{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.440{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.432{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.421{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.416{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.415{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.412{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.410{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.407{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.406{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.401{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.399{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.395{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.232{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.232{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.232{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.132{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150102MD5=F6338A628017A364CB06C0445CEB23D3,SHA256=D594D22972B0287706D565159429BB5D91F17A5FCAC5234FF2139032F0C8D093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000099285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:10.790{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6C65BAC68B5CB1B3322D88C930716C,SHA256=AD75DE23793E0E0E151A0F2C299CEA23AE3FCC29ADD5004F5E0847372199EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:10.683{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEF9BFAA973110E6758906AA25D791F,SHA256=BAF00EA4365F2CB36073808224CF300AB737C8B51237272D2A66B78BA39D7DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:11.880{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5593CD1684E66AEE983E012B208F79,SHA256=1D24C5AB59BEDB58D945E6EB6AC30708BBA054C68B5DE6120C4E38F5F7E68CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:11.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85541571127A99839C3CF9B15405ED2,SHA256=B471C7B6A3CBA118539FAC611588B407FEAAEF566FEB10A61F835B6F5AC10BC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:07.918{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:12.974{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101B87DB681335C9038D97D82CB960C6,SHA256=1DE9559C12A575F71B3AE597E65863F11F69B304CA4EE10AE38A170CAF46024D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:12.882{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B95ECFA94D82E5CBB54E79A0F9D575,SHA256=B180EE94C723A7C205E11BABB4AE8D92BE7932414403BFC07289294F25DB6836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:13.998{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9A4BC2965C1C2E63B304BBBAE2C656,SHA256=D8990E88E5BFF81E6CCE630A9B4A5A8804E087C996D263A30A819562DF4E7BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:12.009{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60515-false10.0.1.12-8000- 23542300x800000000000000099289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:14.064{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A36E5AE755D7096882E3ED540A8E869,SHA256=7C816DEAA50A0C90E0B16125BE14014771A5DB3A6D523F551129A78DECC4ABBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.236{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.236{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.236{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.221{E8723972-58FF-6356-7F01-000000008902}6488004C:\Windows\system32\csrss.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.198{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.198{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000192915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.175{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.175{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.174{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.174{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.168{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.168{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.120{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C341CEA85DB6DFAB26DB2899FF90932,SHA256=A1F14561FF63FBA12B658DDAB2CA33A4E5B5845F814F5972549E6B80FFEDE081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:15.150{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320021876AC0B10638A9052DBFEE32CF,SHA256=B201F41F02FDC0EA78920C51A795D6D7F5C6D63D2D68FE4AEF5091A413A62B2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.420{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5642-6356-0100-000000008902}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000192940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.324{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86A8F9160371C36CAF394F79331E609,SHA256=E75DC4F8EFC9EF0362FE0D6F65E3A7AFFD33B6088B79B10738A9A569514E8A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.322{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB450E2A54C6AE0554C6C573B52002F,SHA256=2C1CD1B3617276C9D3335CEB66697F57D92EC845C06194B5E9C84FBF265498BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.320{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.311{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.304{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000192930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.136{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150102MD5=E7111EC9F46C99DC54F6D96D975D62B1,SHA256=E2DC195CB41BD1E55D66C284B812E2265F3A3AC6934358DFFBC18FE8FBB1EA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:16.240{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545CE518925AEA903A06136C7DE675C8,SHA256=520AF970E4520898259702F958E2580C732B72C81A50C1369B364A373CA0E237,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:12.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:17.924{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:17.332{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0C399022CAD62658CE501E7DD716EA,SHA256=21315DE5A1A26B0D0E0E07FFF574BEF6F6D49D55B12336491C25FF12E4B033CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.736{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150102MD5=91ADAD51A0A31DD71ABFAA8F021039B0,SHA256=D74765CD62FF04008B16EC368417923E6E639D8CC03FF4EDD3BDC32C1AD6C890,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000192965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.736{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000192964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.736{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=17C133232CFFD19DD0471A4499D0ECD1,SHA256=DB3A3F0C736A9BBD4B55BCF6C4F946EA079201A90539B9BC203713C0C5AD7C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.635{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.635{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.635{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000192948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.313{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60518-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.313{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60518-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.209{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60517-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.209{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60517-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.201{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60516-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.201{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60516-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000192942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.236{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C5F36D4173A530D25C0EF8A1F328DC,SHA256=77AAA1B94B8F10FBDA8DDDCC41CF0F6562A157D61EC42DBBBD9663A4BD684A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:18.419{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F594D097E27B3E74FF80431614CF50C8,SHA256=416C7C08EDA1941978E0A2C9F482AAB0C3E6E2ADAC119E654CB88B7DBCEF52A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:18.330{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9889CB1DD6FCB38127BBFEDA2E9708,SHA256=EA211920706644BA88BDC4D8FFED64D4A6E22FDEA050EF3688B7443396343E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:19.505{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E186F45A9251BE51369DEABA5DB1F1,SHA256=E1A8919DD0F2CEA8F7DA4D6B8C386A32C83F35C8F1F215E4403FEF72BB481059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:19.385{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C36246E1C837E94D4D02920C338BD4,SHA256=371BCBDFAD7C633968F492D457E611C5830A8D3252C4523EC7E5B145BDE3A2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:19.385{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F369B099AAAD3EC9F3EF16977AD8DF5A,SHA256=E01C5D13B1E56729335AEA3A6FFE1C00B87E467EA9E25CCFD4BCE85F89B34B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:16.601{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000099298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:20.594{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B538C63EBDA9941475BDC9B2792AA6,SHA256=C32749D044B97A3DD9F30B10264EC9C26D9E96742EFBDC4F042CCAC20AB08F81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000192971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.500{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D604659B33674712099179A9E856EE,SHA256=A6137C0B48DC4929810AF31810980061B4EAA05D93F0B35E9831CC597CA3A772,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:18.009{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60519-false10.0.1.12-8000- 23542300x800000000000000099300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:21.710{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DE859B669C10FB0CF2356690ECEB9,SHA256=018D9C841771F3BF793F549A75DCB4369264829ECF6CB047F9D86EAF793C2FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:21.637{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95B98456319314A855E53BCFA4D563C,SHA256=1CD77704AA8A9441F52756D0D54A39853E3D0D46156EA0887D639FF9BA098480,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:18.698{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:22.794{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713B6FD9C17E917853817CF4BD5D3D6C,SHA256=CC559C41C6ECA6708D0DFEABA5AA9FDA0F129125C4E7F51CF1195720E5881A58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.898{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.898{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.898{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000192977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.753{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A677CF467F05E084EDD2D2F67C51835C,SHA256=D0FE59CFC7C762BE99466FB11081918A5BB3F6D3194BC8DEC9AC0ECA5E0DA8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.893{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-342MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.853{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F010DB7733E833064ABF6A6119E16D4,SHA256=E2D2EBB0F68A8896074659A030233D6D4220BDDB80BF89733E20CE8DF0566FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.623{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.620{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.612{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.611{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.605{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.603{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.600{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.598{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.594{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.586{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.583{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.573{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.557{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.524{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.520{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.507{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.475{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.464{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.446{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.423{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.416{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.409{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.399{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.385{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.377{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.368{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.365{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x8000000000000000192987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.599{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=967AAFE092C298297809D1B2AE92282B,SHA256=91E8C2902E2454ADBC712A0988E24B89E58497D64CD9F968B154650712ECCE89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5902-6356-8A01-000000008902}43488208C:\Windows\system32\sihost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:24.983{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB063855EE10286A7E98AAE401D73C5,SHA256=F253DE3BB9A85E22794C622799100D365484935F64F3D075408ADA66DCE99FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:24.884{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-343MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:24.138{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29304FA335316D81589C556B5B81188,SHA256=D6299898062CE4CD4683726B950AEFD33D618B4F1270D66F0FF9851D16011AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:24.706{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF14250e0.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:25.970{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F53F3C266B2FD6D95866EE01F5B084,SHA256=6326A38EB864DF16AC02214CA0E0C7B0107A8BC3C26C4D5CA9703631E7C0EFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:25.466{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-332MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:25.229{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DEB64DC2AE53E6637881BE70F1CCA1,SHA256=9BA6650761850540392F417F3A67EC45FD9E3BDE0021B556E1E8BB1295F9F515,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.110{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60520-false10.0.1.12-8000- 23542300x800000000000000099335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:26.465{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-333MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:26.311{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175C7D9738B942E10B97069C6A9FAF1D,SHA256=BBF4E7DD6B91F0A9CCFDE18ABCB10FD5A12482334503EC0CA6E698C96AD82B0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.930{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.928{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.927{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.924{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.897{E8723972-A8C6-6356-0910-000000008902}83203812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.709{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.706{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.704{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.497{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.487{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.483{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.476{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.472{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.466{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.464{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.432{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.422{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.409{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.404{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.398{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.389{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.376{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.363{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.355{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.347{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.331{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.257{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.254{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.037{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.909{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:27.395{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0DD85B1ECD1A7E2F84148819F6E388,SHA256=8432057DB9E6D8BD1424E225B8087113F84CE232F3E82C889524830E3EBEBBA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.507{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.507{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.355{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8F70E8A78B9395F1E4EF7AC7E07C92,SHA256=0965CB00D3A598E381E734E2141B7FF9E063FEA41BD3F077AFAABFFC7E439357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAC21265AD837D3973C976DAABA3024,SHA256=FC0C5B0E3AA7F4D43E0B7C1CD0AF5EDF341C06DF8E5C788B47A22311E691DB0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.105{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000193037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.105{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.105{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1425a47.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:28.480{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94737042609983EB8B16230F4786DD88,SHA256=7E0FD4D885F077609D5EB1DBC3FB43B2FD51B262783572AC04D71C1F4D8FE48E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.961{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.960{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.955{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.714{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.222{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8C185E9842D7F8E53AC2C2F2155978E0,SHA256=2EC9152CBC5CC9F13E23CCBD65BEEC9941ED72B56CDFEF693DF5B9294698ECFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.153{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8B50B654A41BCE338C3777A27D908,SHA256=048C88B4800D08F2CA533EB4C4A09E7B64B8F639CC5DC4DF5A954F5A80777767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:29.571{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721A2D948D1E0119F4A196D09FF4936B,SHA256=EC1CABD7F3C3184E72AC557FBE95AAD93B6D5A2E44825B2CA80DFC23F3644ACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.724{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.712{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.709{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.706{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.705{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.697{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.692{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.688{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.684{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.679{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.670{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.666{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.665{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.664{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.662{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.659{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.644{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.643{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.642{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.641{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.640{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.638{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.636{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.633{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.630{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.627{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.625{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.616{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.613{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.583{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.578{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.566{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.565{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.565{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.551{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.543{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.506{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.498{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.488{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.483{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.482{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.479{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.476{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.473{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.472{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.468{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.467{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.465{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000193061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.224{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DCD5AD01C192FC8EB5C983B3E4D113,SHA256=B82A2E1E04B90A05B0C9E6BA4F8C2F03D3B4C58C85680AA859A39A9AC4092CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:30.661{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3D30780205CA56DD4318DE60071019,SHA256=0676A2BFFCEDE24CF0E0594262879CB2CF7012E2A826F65511557BA7B1E99DEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.686{E8723972-A8CA-6356-0B10-000000008902}97088564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.529{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A2BAB129E25B6868F5F02DDC1B6B60,SHA256=E974AC2B7EEB08EF8DB14E2B7DC8FCACA8E1CB858C87F6C01A029BCCCE0B4B25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.011{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60521-false10.0.1.12-8000- 23542300x8000000000000000193110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.139{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AEE4E8064DAA97B1F5C7D6373C04D585,SHA256=D72612456C96096693C804F62C142D423C5933E08FE9DC01461ED4DD9D6ABB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:31.742{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DC9FD037D2835C29735B960693BF23,SHA256=B9D64BB8AEE6FCAD09759D98C35F78BF160C347AEE050781632F0B98F241067D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.877{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.875{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.875{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.872{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.510{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9275E7DEF4327AAB47876893BFEEDAD0,SHA256=3ABA28C97EF799553786AAB473E0F5D2BC6F804FE41B32D71CF42C6C4603B276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.355{E8723972-A8CB-6356-0C10-000000008902}1022410096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.202{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:32.829{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D5CEE5987DCE7CC9BE3270A7682295,SHA256=525B6BC28688E72552B1CF5BBC93510C1C106E4177E491699BBD0E64B7CA4F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.987{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A24DB5678A5BD0E033D1808F3CD869D,SHA256=B2A6C40EF6D8E64096C5C83D1572816F0FFA49D0F7A1F24F4DB74BDD3334FBE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.703{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.584{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7600DFD671EF83279F46206495FFF8,SHA256=D49496578677AF1079C9B97646D6E4A481AD2BAE5B7ED47E06833870EDE3C051,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:29.919{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:32.112{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C01C2336CFA5C96401A5A3E9A304FF8C,SHA256=DAF06265B64557EC370FE7AFDB144E385FCA7AD9F841D34C98B3778515CCEE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.125{E8723972-A8CB-6356-0D10-000000008902}100363288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:33.910{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C3D06EC08F660C98C78C86DCC66BA8,SHA256=635D3962D56B5BAB7DC9E7D367387CBF3AA7747CACF29E466DD0F955F736AE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:33.655{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCD639A3BA6492974ADD6C23F0FC924,SHA256=7A44A990ECE6F6ADE9B627F643B41F9C9F4E2E0E4A646CE749E96B0C079239C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:34.772{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13B378D63D8E704DCC9F38F3F449E6A,SHA256=550FDD25BC73018E48D7F608C437D0853563778BEB6EF36C5B0CAD7345F91FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:35.886{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5D08F5C277AD64087EA75E9B527E27,SHA256=23683C1CF82B625E7F425D6DE32EE296D9419E268891CC174246D124E46A09F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:35.008{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BC3011C70C56E774E3632424D20F51,SHA256=558DA9AA0929AD92C8C57317B7021C2493E24EB77AE8C0318B176C23B5FE8491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:34.013{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60522-false10.0.1.12-8000- 10341000x8000000000000000193166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.940{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+3842e64|C:\Program Files\Mozilla Firefox\xul.dll+38be584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:36.103{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0575C6CC5257C22B48A9D5D3AB6C869A,SHA256=73381BA66D5EB56D2DBC1E93B0E36F61623A538224A18A9702F867E236637BFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.586{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\AlternateServices-1.txt2022-10-24 15:01:36.585 23542300x8000000000000000193164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.586{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.585{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\AlternateServices-1.txt2022-10-24 15:01:36.585 11241100x8000000000000000193162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.486{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:01:36.486 23542300x8000000000000000193161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.486{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.486{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:01:36.486 13241300x8000000000000000193159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:36.401{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000193158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:36.385{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Config SourceDWORD (0x00000001) 13241300x8000000000000000193157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:36.385{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_16F939A6-F11C-43C5-B462-BE8A86302C43.XML 10341000x8000000000000000193156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.385{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.385{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:37.184{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BB5B3CCF085F5836D9195E86C246F7,SHA256=BCE522D4ECEAA84A6CC712C8561ED706F2319754D290DC6721AA43A9B2105C25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.969{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.969{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.956{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.285.1564014951\900420841" -childID 282 -isForBrowser -prefsHandle 5888 -prefMapHandle 9928 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b73f403-e37b-4e48-8117-49cb0c0869d3} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 9376 1ddc1e31f58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000193254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000193228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:01:37.947{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.285.156401495C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.629{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7EF41F370334DC5CC2943B063FBF71,SHA256=364DA9F9E7524735616554F4E710593DD28D8D614D0CC081CBE4F9954F9DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.240{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.240{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.240{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.040{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\indexMD5=436E3C3207CFCFD569C4BB16F020A9E8,SHA256=60E3D23063F07F3641E423DACDF96A009B32DEF0A2AE204D2F3F1D9A470C6D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.024{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.024{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34687AC7B252C4C2F4893C662E87E697,SHA256=D56A32196D8F5C1FA42FEC9AB3349CD3DF5511440F756F0D146894335D2DB102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:35.953{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:38.284{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B609E1B440734F00D5559D26D620145E,SHA256=4E49A51B4F84E83949DFD0E2B9FFFD5CE95B2B348E0B17CBFA330C893992206B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.688{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A8E153AA655075BD56FA611F9FDECDE6,SHA256=1F9553E020A46DF4D60F14B0DCECAFBDB8323064B3CE57F1B5CD2CB75F1A9CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.651{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=365A83E36997CF2FC9455A6AF91AB50C,SHA256=41CCABA192E7764296ED799B929BD7F977279C177FA09EE60D7CC650F5F1E583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.602{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.602{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.602{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 354300x8000000000000000193292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.403{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60526-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000193291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.390{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local56057- 354300x8000000000000000193290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60042- 354300x8000000000000000193289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.128{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60525-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.128{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60525-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.949{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60524-false104.244.42.66-443https 354300x8000000000000000193286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.834{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54533- 354300x8000000000000000193285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.276{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60523-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000193284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.276{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60523-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 22542200x8000000000000000193283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.838{E8723972-5A49-6356-0405-000000008902}5716tpop-api.twitter.com0104.244.42.194;104.244.42.2;104.244.42.130;104.244.42.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.838{E8723972-5A49-6356-0405-000000008902}5716api.twitter.com0type: 5 tpop-api.twitter.com;::ffff:104.244.42.66;::ffff:104.244.42.194;::ffff:104.244.42.2;::ffff:104.244.42.130;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.355{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0ACD8DFF52D9C221DD6A8037AE70B94,SHA256=852EA9506EF3C043E88403ABF7659CE8DA56BC13C417D6816123F3D0A3663E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.173{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64942C5899DCA84DCF5D1D5ED6DDF68F,SHA256=2581D5DA18C6306E0546D7425491D90E289BECDFDDBD9D75D7AFC8CD6078E5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.076{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.074{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.074{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.055{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.055{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.039{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.039{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.039{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-281C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000193271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:01:38.039{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-281C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000193270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.023{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.14351467515787919364C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000193268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.14351467515787919364C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000193267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.285.156401495C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000193265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000099351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:39.384{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612CD3CCEB5D16FD287DD7B0163EB97D,SHA256=4A52B5D4D3A3C732717B831502CFF7782CF15DFBA151E18F51A48A05FDC4EBBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60527-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.959{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60527-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000193301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.272{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5367F3534F566D873B7282C0C2DCEC24,SHA256=5760B6F9AC3449EEBBAFE5CD0A84B291295564615C259C03666F60773162EA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:40.470{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EB97ACB5F7080B0DF13D2BE3594D87,SHA256=56DC82006EECCADEF9F4EE6355F40DF7AA528C73F2D264475923EE33ED205B97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.887{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60528-false104.244.42.129-443https 354300x8000000000000000193308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.852{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51529- 22542200x8000000000000000193307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.858{E8723972-5A49-6356-0405-000000008902}5716twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.857{E8723972-5A49-6356-0405-000000008902}5716twitter.com0104.244.42.65;104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.856{E8723972-5A49-6356-0405-000000008902}5716twitter.com0::ffff:104.244.42.129;::ffff:104.244.42.65;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:40.327{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874278AEC54ED1FBA88A205805DB8058,SHA256=8F8334B1A29878F7632143F322A3A73190B13689B9BC5B55D7529A10703F7480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:41.563{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BEC0699842FE50E35E5321BF3292CD,SHA256=531FE67D2F96C7F1BA1182C7C235E37824CF57107384F7166D8A5C52A6B96E8D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000193320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.537{E8723972-5A49-6356-0405-000000008902}5716d3ag4hukkh62yn.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.536{E8723972-5A49-6356-0405-000000008902}5716e5791.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.535{E8723972-5A49-6356-0405-000000008902}5716e5791.a.akamaiedge.net023.202.84.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.535{E8723972-5A49-6356-0405-000000008902}5716d3ag4hukkh62yn.cloudfront.net013.224.36.4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.535{E8723972-5A49-6356-0405-000000008902}5716www.macys.com0type: 5 www.macys.com.edgekey.net;type: 5 e5791.a.akamaiedge.net;::ffff:23.202.84.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.534{E8723972-5A49-6356-0405-000000008902}5716www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 d3ag4hukkh62yn.cloudfront.net;::ffff:13.224.36.4;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:41.458{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72ACF66E56A69064A3FD6C488FC934B,SHA256=1E170FAF58E8B03FCEA7064A80A24C17C144C1F2D68174F15A5937BDC944DAFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.530{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54042- 354300x8000000000000000193312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.530{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local56895- 354300x8000000000000000193311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.528{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52970- 354300x8000000000000000193310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.528{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55033- 23542300x800000000000000099354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:42.656{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA3FCDA17F35F0EB10699419B09BAD6,SHA256=F3B2DD6DC40C9D87ADA389FD75BBA46FA6C034BE218F93BFEA8A38FD4D93C276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:42.557{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F833C4797746E5B721A23CAF0034D88,SHA256=99C10233DEC5293A7278D3A1B6A41830A3F7A2FBD507D756915821076DB210E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:40.015{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60529-false10.0.1.12-8000- 23542300x8000000000000000193321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:42.042{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\6787MD5=BE2D84830316ACBFED5C41291DB9D2E5,SHA256=7F3430E5A9042DA31CA278B9DADC0F57CA7A767E2DC58696C7A7919EDCCA3763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.741{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100C2331C8F9DEAAB5B70D6C0AC1C049,SHA256=0F91E148ECEC926CA57CAE8FAD527EB8993883EEA468A987B585A800FF3213C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:43.587{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5EAC3A646F2B1C3F0B39BA5AD0280F,SHA256=AB2BC627E7620A47A5D5BA3D0C1BBAB4B626DC7F387D0AE0813E016605274FC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.564{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.558{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.554{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.552{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.546{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.545{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.538{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.537{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.530{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.528{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.524{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.521{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.513{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.505{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.485{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.482{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.472{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.443{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.436{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.428{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.418{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.409{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.404{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.394{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.386{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.376{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.367{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.363{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 23542300x800000000000000099385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:44.939{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A1F834B2B98B752B9B4484B98A0B0D,SHA256=AD41DA69288F2A11B10A8B34907BDCEF5547F3E7716ECD126399FAFF38973CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:44.658{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946A59CDBB6972C2CF5D336556C7F97E,SHA256=F5352703E054F40433E8BA4052FD16EEF520AF7D8A30E8EB14F949A9F0568AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:45.786{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03155BB5D553FE770167DD2960DE6C54,SHA256=4F8AE0E0D77BFA816CA77F8412158953ABA8ED7370B1A58201B11B430900B328,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:41.735{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000193352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.939{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A49F9271EAE42265B0DAC6C293C673,SHA256=308BD426CC30D1AE54B719CD511D54D6BD1053890EE3649565B0C6EE7959951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:46.025{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0D9F6E633FCBA42406F67F6DD6AA4A,SHA256=8DF237B1D0D9FFE9581AC94D3F66C1BD39280CA87742EF68799904F0BC666752,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.780{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.778{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.776{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.768{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.396{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.384{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.369{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.368{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.342{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.337{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.324{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.318{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.310{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.303{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.294{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.277{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.268{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.260{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000193329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.225{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.221{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x800000000000000099388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:47.106{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F853B7DE59915C655AD0A431230F2B05,SHA256=01C9AD1649F6955CFF7AAF893597244CA3BB8D5DBF1F7064EBB617E39E39C55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:48.184{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F4EB3B07EC58CCE9213B1792DA0BBD,SHA256=DA97BAD7A98CA095B3D63EE8994A2F27420915EE654645F50C4DF76ADBCC27FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.809{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.808{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.802{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000193355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.097{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60531-false10.0.1.12-8089- 354300x8000000000000000193354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:45.990{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60530-false10.0.1.12-8000- 23542300x8000000000000000193353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.024{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C3A003B74605621B8D9B8E5F9D53FC,SHA256=7147FBB69085492BF1B528D21A9B0712C37F089655F8D633B2E1505115C69B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:49.274{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21FB92B70201E5310F10CABD9D1ED72,SHA256=2EE0658861C26D1EC29DA673E78F592A466D95EA799F8BE744100B765B7AE35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.643{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.641{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DF47BD3E0EFA00E4480E01A0EAC34D64,SHA256=B292F9C1391A64B4058400F462BB3DF4DEAE743C45D6EA6A490C9979814F7772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.570{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.569{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.566{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.564{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.563{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.556{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.554{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.550{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.547{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.544{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.541{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.537{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.536{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 1034100